MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf
SHA3-384 hash: dccc2c95fb34607ce7a029f373030252a679a3f073565ba15a4d2c71d5da9661bb5b0a07beb2e3155de88c46f81656e6
SHA1 hash: 44304389172aa73a1d87c3e2cf969b349d192648
MD5 hash: 82d9399220654cb33ce6042db6d7780c
humanhash: fruit-october-uncle-lake
File name:SecuriteInfo.com.W32.MSIL_Kryptik.FDZ.genEldorado.19111.18856
Download: download sample
Signature Formbook
Create hunting rule
File size:492'424 bytes
First seen:2021-08-11 14:08:38 UTC
Last seen:2021-08-11 14:47:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:SQ4KwNT/wNECFZfZTsEmRx8GCSD3vUh5Biq53tue:r4KaYymhtmRLUhfJ530e
Threatray 7'737 similar samples on MalwareBazaar
TLSH T155A401A3B608A4CBED6A57F25977EA3219637D65A6B0022D705EF3161BB33424017F0F
dhash icon cc92928282c282a2 (1 x Formbook, 1 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New & Revised RFQ (August-20212).xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-11 10:28:45 UTC
Tags:
encrypted exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/635673eb-1916-41cf-8182-f756f9d0c9be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178293/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.FDZ.genEldorado.19111.18856.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35f4469b-baa5-4fd9-b72f-ea6a8375f17e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/831027
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 11:19:10 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
108cc18c30a306c9fcd29d6d587cee73e18ccabbda0cb669b513a22b300d3a1d
Formbook
3e23bf4937349c5f5cf233e30658562fca94d58790ebbe693e176fb595fb0b34
Formbook
59ced73cabf35385aaedb67d1b0cd813cc16f5f8e056add78cf50f3abc28351a
Formbook
66c88e666d6a8c03122b527176a9ee1b5b9e24a2aa5a49563e242be179760228
Formbook
94b5ba8b9cf0c9b6d3e790aadc37b8afb3099af0d151761d5c7196dd6fb81539
Formbook
9ce9e41c146be2b9aecbed6e14d9c4fa9d69d6b51038ba27782d08a432c8c95d
Formbook
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Formbook
b0762ca49381026932f488d2a816a18639c410ba45f456014861ac66b9b3f4e6
Formbook
bb9ba507dcfe191724f459ded8009edfa46481b2e244827354116f1734a52a9c
Formbook
+ 7'727 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:q6fg loader rat
Link:
https://tria.ge/reports/210811-j1x3b7tles/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.sweetmissy.net/q6fg/
Unpacked files
SH256 hash:
0a8afbf3baea4da05b0b8315bbd06a615cfef55b2f5bc4f546369b7bff40c41c
MD5 hash:
c552dbbe82b1b888a5bdf8532e528a66
SHA1 hash:
1bc2cd6f257c4d278d6c10cfcfd1d997652b1333
Link:
https://www.unpac.me/results/d3207c87-ded8-4b63-8079-589d5f612a30/
SH256 hash:
0bdbcaa19feac18697615a0f7e3296f6238b4901ba6d815c23848947b15e7285
MD5 hash:
6b3647b972d3377301162a882d3b6ba7
SHA1 hash:
a231ac55536d189de3936fbef6689fbe5e61999a
Link:
https://www.unpac.me/results/d3207c87-ded8-4b63-8079-589d5f612a30/
SH256 hash:
8df9a87f46e7e6dd282aeada7833f371d82efe3905e69bde9242fd27b3f50858
MD5 hash:
85d5c90045886538a428f70837548190
SHA1 hash:
8e2b09cfbd2b3d8fa981495f55dd9cd746a5f15a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d3207c87-ded8-4b63-8079-589d5f612a30/
SH256 hash:
5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf
MD5 hash:
82d9399220654cb33ce6042db6d7780c
SHA1 hash:
44304389172aa73a1d87c3e2cf969b349d192648
Link:
https://www.unpac.me/results/d3207c87-ded8-4b63-8079-589d5f612a30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5955bf6676d1f4d7e9e12f2201674381535d24bd88bd480feda425839841ecaf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1524624/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178293/

Comments