MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32
SHA3-384 hash: b22a274b2832dfd370b2f933d9b46b81f053fa8d5ebb6548486892acd88f8fbe712500832d6d0ecb151483dd81f5d06a
SHA1 hash: 24c106b5ba46a5fa6b9678ab589c46ba240bf1dd
MD5 hash: dcd1fabcaca16d74b82cc1361dda03ec
humanhash: lactose-nineteen-august-bravo
File name:dcd1fabcaca16d74b82cc1361dda03ec.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:809'984 bytes
First seen:2021-06-23 18:57:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:4JZaF9GF2tNdJRx/oNZFSfQVHs3mYxrvz+nPrfZM5EsO9hrwoGgnHJh1A0:bjpto7/hsW8wq5EsiM9gHNA0
Threatray 2'840 similar samples on MalwareBazaar
TLSH 3C05E0202AEE501DF173AF795EF471D696BFB7233B06D85D2451038E4B23A42CE9193A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dcd1fabcaca16d74b82cc1361dda03ec.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 19:01:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4b8034a0-2017-4857-86a0-5515ccba39d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d183732-bda4-41dd-80e1-ef09825871c9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806817
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 09:57:00 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2bjpxpfwablkmcl64gw4m63to6ubtndp4haf3nn3vzsmv7wvqza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
201af2ab950f9aefa7da227b0efdfe0bc005ca77c9ab0284549b081cced51e52
Formbook
29f2ebfc9928fcb053f9c6fb9e2bdd9db39d8a17cb7859502e8e4aa66de00526
Formbook
4d7785dcd99beca572613788bc8b0713ddda6da0c8df321b1402bc38e6880f88
Formbook
53e1c28059f751b2b8ba98d5c6adcf3e028f3d2953d5355d452dfd30f0830af0
Formbook
5b7a19549c692c5dfec51bc6ddc8826132706ab03336321ccec6e02182d9d35e
Formbook
82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886
Formbook
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Formbook
931959c2c56185581ab2639948e3e207c5cb3c1e1c0225567c31f03a5b39e65d
Formbook
9c1d6191badf084113871feba0049fac8a2bb5761136877383579cdcf7cd781a
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
+ 2'830 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/210623-fn4ncadk7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.yellow-wink.com/nff/
Unpacked files
SH256 hash:
cefb4fa9d8f118ece98e8e9da00644e3d086058903f64721335b513af69b0892
MD5 hash:
7413d26f5700cfee7acdf5c6f5c5d89c
SHA1 hash:
05906b80d83de78d0bee721893f69be0ceb608a9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a5b46118-aeb1-405b-9ca3-08a6148c15fd/
Parent samples :
e65ddcb1e8d85b5d13ab1aaf5d9747feea1e3e442ed82773640d740627f4d7ca
55d713c0259fec5f0e64aa9f01d63ee1db90b60960e3b61b11e36bf1cd0fd2f1
5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32
a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
a53a4c82477eada893191662cf4ab4b3f44d1da7cae9ea8a7de3f859a424292b
e2c11a82ce76ab32b7033c6d47081c6c44fe2288211fe0af6202f3333196cbe6
SH256 hash:
cb5d6b390040cf0cd53945aa49c6853b2270a2ce1a7c67d2ddf9cb3bf1313757
MD5 hash:
eca03d23aabf2c8e73ac9c504788a42a
SHA1 hash:
629045c7b779f9f8b2acbe3e3a923c67d8a85341
Link:
https://www.unpac.me/results/a5b46118-aeb1-405b-9ca3-08a6148c15fd/
SH256 hash:
06306e33b7e10429759ab8c42e31e9eb8edbd76c4f1a792a5c231a57876ea338
MD5 hash:
5bdd03077864d32db51b085294859f68
SHA1 hash:
70392a93a4c8be2377915fd6e6d3e7a3a9600adf
Link:
https://www.unpac.me/results/a5b46118-aeb1-405b-9ca3-08a6148c15fd/
SH256 hash:
5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32
MD5 hash:
dcd1fabcaca16d74b82cc1361dda03ec
SHA1 hash:
24c106b5ba46a5fa6b9678ab589c46ba240bf1dd
Link:
https://www.unpac.me/results/a5b46118-aeb1-405b-9ca3-08a6148c15fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 5e8297dde5b002b5304bf70d6e33db9bbd40cda37f0e02edaddd732657f6ac32

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1390689/
  
Delivery method
Distributed via web download

Comments