MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59aaeb22618c772877612d56e850fadbe0f8e929aa14b7922de7afef3eb7be96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59aaeb22618c772877612d56e850fadbe0f8e929aa14b7922de7afef3eb7be96
SHA3-384 hash: f2714317677f2f5b3d3680556ceb4643a59534e39c40062ef2eac79e098861e63f455ab33bd852bff6510c641960ece6
SHA1 hash: 9b7790f990a8dbcff01f81a754c5b3b4ec2c52f9
MD5 hash: bbe72c8d0a9c597fb116a040f06255af
humanhash: mexico-white-fifteen-comet
File name:bbe72c8d0a9c597fb116a040f06255af
Download: download sample
Signature Formbook
Create hunting rule
File size:189'440 bytes
First seen:2021-09-23 13:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 1536:wmFJmCM3YBMTTT5zCrDLpXDpRoQ5d6n3l78NZPm5X9:BFJmCM3YBMTT6LpTpR/5QF9
Threatray 9'564 similar samples on MalwareBazaar
TLSH T1ED04AB78FDFF6A85C250DE3A666DB05A52E19C18CE8B433BE0D472A47E30DC81A4651F
File icon (PE):PE icon
dhash icon 10808c9c8c869810 (3 x a310Logger, 2 x Formbook, 2 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbe72c8d0a9c597fb116a040f06255af
Verdict:
Malicious activity
Analysis date:
2021-09-23 13:30:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/81693dc5-33ae-47dc-b6c5-226dc84f626a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190770/
Detection(s):
SecuriteInfo.com.ArtemisBBE72C8D0A9C.480.21396.UNOFFICIAL
Create hunting rule

Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d19425dd-9a4d-483c-ab83-37bc00fd5a36
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856558
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488991 Sample: sS21qH5A7W Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 36 www.onlinerebatemall.com 2->36 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 11 sS21qH5A7W.exe 15 5 2->11         started        signatures3 process4 dnsIp5 38 cdn.discordapp.com 162.159.135.233, 443, 49738 CLOUDFLARENETUS United States 11->38 30 C:\Users\user\AppData\...\sS21qH5A7W.exe, PE32 11->30 dropped 32 C:\Users\...\sS21qH5A7W.exe:Zone.Identifier, ASCII 11->32 dropped 34 C:\Users\user\AppData\...\sS21qH5A7W.exe.log, ASCII 11->34 dropped 68 Writes to foreign memory regions 11->68 70 Allocates memory in foreign processes 11->70 72 Injects a PE file into a foreign processes 11->72 16 sS21qH5A7W.exe 11->16         started        19 sS21qH5A7W.exe 11->19         started        file6 signatures7 process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Sample uses process hollowing technique 16->44 46 Queues an APC in another process (thread injection) 16->46 21 explorer.exe 16->21 injected 48 Multi AV Scanner detection for dropped file 19->48 50 Machine Learning detection for dropped file 19->50 52 Tries to detect virtualization through RDTSC time measurements 19->52 process10 process11 23 msiexec.exe 21->23         started        signatures12 62 Self deletion via cmd delete 23->62 64 Modifies the context of a thread in another process (thread injection) 23->64 66 Maps a DLL or memory area into another process 23->66 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59aaeb22618c772877612d56e850fadbe0f8e929aa14b7922de7afef3eb7be96/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 08:54:44 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
091230bdb21752192badda687f5def8c29d988ddab761901ed5c6594062c1e9d
Formbook
475032f04ff405e24ecc5e2a93fb9c0c5fc037cc59e06b1772a8e60bc2dcadd1
Formbook
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
Formbook
6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3
Formbook
818b8b831f3c774e034e2794f1eae71f62f5388355916e948b472cfdac7f5508
Formbook
8bb3e6cace7598576464639d7f88d0c4d55919b2e110a341df89a1569ae0d5b7
Formbook
984ad48db84dccbf4d978f50b0cad2c0f2eb4a256cc5f3b470facf3e411283ae
Formbook
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Formbook
a56e9e3fc6d7b412b1e9cf5dff739358849779b3c80df268ade3d9da79bd5da5
Formbook
d9cc0ba64d20a3a60f1580c74ff1269f5b545a0abf23362cbc678b12057a6cf3
Formbook
+ 9'554 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o4ms rat spyware stealer trojan
Link:
https://tria.ge/reports/210923-qp4qfaedcp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nocodehost.com/o4ms/
Unpacked files
SH256 hash:
59aaeb22618c772877612d56e850fadbe0f8e929aa14b7922de7afef3eb7be96
MD5 hash:
bbe72c8d0a9c597fb116a040f06255af
SHA1 hash:
9b7790f990a8dbcff01f81a754c5b3b4ec2c52f9
Link:
https://www.unpac.me/results/acd93fe4-ba0d-473e-a39c-f3462fbf0bc6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/59aaeb22618c772877612d56e850fadbe0f8e929aa14b7922de7afef3eb7be96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 59aaeb22618c772877612d56e850fadbe0f8e929aa14b7922de7afef3eb7be96

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1640872/
Cape
Cape
https://www.capesandbox.com/analysis/190770/

Comments


Avatar
zbet commented on 2021-09-23 13:26:16 UTC

url : hxxp://52.58.97.51/T67/F2/Product_Specifications_Details_723312_RFQ.exe