MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6
SHA3-384 hash:	ad0c1e7513ce64f21e5e5094ae784f607121c8c171f3acc3e62cad31bb2141e8d332cf86adf19794094a2cb50b1557e4
SHA1 hash:	d458ec61cf889f24941e013e79d7df92d8aede4d
MD5 hash:	6763df1374c8c8d4d6b087fffa2553c6
humanhash:	failed-seventeen-low-don
File name:	SecuriteInfo.com.Trojan.PackedNET.541.891.9954
Download:	download sample
Signature	Formbook Create hunting rule
File size:	634'880 bytes
First seen:	2021-02-15 23:56:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:pUMDCvxGbhtIR1sE88xq4iSWrap4Pz94P:FCpGMvsp8Wvra
Threatray	3'765 similar samples on MalwareBazaar
TLSH	68D4D07333D8EBA9E17E9379D025154053F1B617EB21DB8DBDA410CE4A66FC182A2783
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

POSign Contract.xlsx

Verdict:

Malicious activity

Analysis date:

2021-02-15 19:46:56 UTC

Tags:

encrypted trojan exploit CVE-2017-11882 loader formbook stealer

Link:

https://app.any.run/tasks/45e98247-e017-4e4f-af44-19e008cc0993

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/117263/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.541.891.9954.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/608524

Signature

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-15 12:11:47 UTC

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

0db69eb6654d1090cb17ab58537a7304e2c269613c0edabf123cf230d289db73

Formbook

0fbe3e570e7074462b9c44528e6a1a3e9a4d02775acf4e9877f4f3ac87cdbd2e

Formbook

170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d

Formbook

1ec5aeccf89c5d7a378e443e742e37f05a2aa7cb71150ee0ca4876c6b37d7b4d

Formbook

b8392aaf409d89fe323576fdf09bf3320094962da9812918d23bb47b3d8d53f8

Formbook

d68888aa1e155ac65bd1ddabcf05f61bfff65f79a11cc0ee099200c3da8c5d35

Formbook

d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5

Formbook

e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974

Formbook

f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c

Formbook

+ 3'755 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210215-effxq6f97n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.paeonystore.com/kre/

Unpacked files

SH256 hash:

b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c

MD5 hash:

5e732e4265622675313195dead01047e

SHA1 hash:

359c710a93c2f58cdc2a45de8dd48a6884a70645

Link:

https://www.unpac.me/results/b2e84959-521e-4abd-8167-febd31420812/

SH256 hash:

5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6

MD5 hash:

6763df1374c8c8d4d6b087fffa2553c6

SHA1 hash:

d458ec61cf889f24941e013e79d7df92d8aede4d

Link:

https://www.unpac.me/results/b2e84959-521e-4abd-8167-febd31420812/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5915848dc0c0e2e649fdc29ed1d3270ec15b78493e9ca9debf5e85a090e533b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time