MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e
SHA3-384 hash: c95f5e13147b2be47822fbf1d8737c5aa29c6f49e1fa47b26dd954e101ac5a39c46ddb99530c39eaf9dcacca11d95fde
SHA1 hash: 238adb0a18b2c7f9849b84e1f1942f543b04d5b4
MD5 hash: c56b8a7c42b645067c9674587eb6bfe8
humanhash: uranus-bacon-princess-carbon
File name:c56b8a7c42b645067c9674587eb6bfe8.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:78'240 bytes
First seen:2021-04-01 06:42:09 UTC
Last seen:2021-04-01 09:54:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 768:kZ7IUn8Y08A9uAu50iecYx2gW/4xRJEIsAkUp2mpMhfnoGfl4Gflvx/FIwJGun5M:Q1nR08+uAuBRYUcJEIsAjp1M3u
Threatray 4'582 similar samples on MalwareBazaar
TLSH 4273A4E85E560AF7D56DFA309083108EA238E1B338DC5A67719752CBC98E7837DD016E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Urgent PO.doc__.rtf
Verdict:
Malicious activity
Analysis date:
2021-04-01 06:18:21 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/a2c40ca0-a9b9-4922-9e56-c7a55772f33c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/130472/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.151.5086.5476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Sending a UDP request
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Blocking the User Account Control
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661752
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379810 Sample: YACMsbiUa3.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 47 www.carolinaepatrick.com 2->47 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 4 other signatures 2->69 11 YACMsbiUa3.exe 17 8 2->11         started        signatures3 process4 dnsIp5 53 asdcqwdwqx.gq 172.67.160.253, 49711, 80 CLOUDFLARENETUS United States 11->53 45 C:\Users\user\AppData\...\0asp13zx.newcfg, XML 11->45 dropped 79 Adds a directory exclusion to Windows Defender 11->79 81 Tries to detect virtualization through RDTSC time measurements 11->81 83 Hides threads from debuggers 11->83 85 Injects a PE file into a foreign processes 11->85 16 YACMsbiUa3.exe 11->16         started        19 WerFault.exe 23 9 11->19         started        22 cmd.exe 1 11->22         started        24 powershell.exe 26 11->24         started        file6 signatures7 process8 file9 55 Modifies the context of a thread in another process (thread injection) 16->55 57 Maps a DLL or memory area into another process 16->57 59 Sample uses process hollowing technique 16->59 61 Queues an APC in another process (thread injection) 16->61 26 explorer.exe 16->26 injected 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->43 dropped 30 conhost.exe 22->30         started        32 timeout.exe 1 22->32         started        34 conhost.exe 24->34         started        signatures10 process11 dnsIp12 49 www.gardenstatemask.com 74.117.219.199, 49741, 80 DNC-HOLDINGS-INCUS Cayman Islands 26->49 51 www.maxiang.cool 26->51 77 System process connects to network (likely due to code injection or exploit) 26->77 36 colorcpl.exe 26->36         started        signatures13 process14 signatures15 71 Modifies the context of a thread in another process (thread injection) 36->71 73 Maps a DLL or memory area into another process 36->73 75 Tries to detect virtualization through RDTSC time measurements 36->75 39 cmd.exe 36->39         started        process16 process17 41 conhost.exe 39->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ln5bsve4newf37wfdpdn3secmezha2vqgm3dehgoy3qcdawz2npa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05c3b01f3f582815a9a5c99845273306a23302342adf5215c7fb817e963cc4e0
Formbook
201af2ab950f9aefa7da227b0efdfe0bc005ca77c9ab0284549b081cced51e52
Formbook
248763ed0956ab7ba4cd1df4c42984aca70296051e847f3c623b66efbc04fd21
Formbook
29f2ebfc9928fcb053f9c6fb9e2bdd9db39d8a17cb7859502e8e4aa66de00526
Formbook
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
Formbook
4d7785dcd99beca572613788bc8b0713ddda6da0c8df321b1402bc38e6880f88
Formbook
695ab247db659d0c2d9cc11593b3670fd8103deda2134c021000671282245f08
Formbook
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Formbook
9dac57302e2261a1a3c6a665d3960525b27fb70a1fd6b1e135a3e72f11c6f3e6
Formbook
d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Formbook
+ 4'572 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/210401-jqy84pfr22/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Windows security modification
Formbook Payload
Formbook
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://www.localmarketingaiagency.com/pgr/
Unpacked files
SH256 hash:
5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e
MD5 hash:
c56b8a7c42b645067c9674587eb6bfe8
SHA1 hash:
238adb0a18b2c7f9849b84e1f1942f543b04d5b4
Link:
https://www.unpac.me/results/32c46018-7e33-4e77-ad99-ac96d3b41ced/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/130472/
  
URLhaus
https://urlhaus.abuse.ch/url/1100885/
  
Delivery method
Distributed via web download

Comments