MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
SHA3-384 hash: 642fea5807c44791c6e52362ab7ed10151df0d4ea8ee284a21b67b26d954066557ff32c136f7d915c96c995e8048ebf7
SHA1 hash: b28f29e87fe4b79bc87fe860d21a16780d31069c
MD5 hash: a75dd7431fff6664e2a12263881315ef
humanhash: blossom-california-solar-xray
File name:a75dd743_by_Libranalysis
Download: download sample
Signature Formbook
Create hunting rule
File size:262'144 bytes
First seen:2021-04-30 14:01:37 UTC
Last seen:2021-05-05 10:57:39 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:5EIPXIpj8zmxRgtkkGPUcWwvWjkxKGiaeXPMLoVF1q:5E9pjPxSNGJ7xKGdEVf
Threatray 4'888 similar samples on MalwareBazaar
TLSH DB4412963290C473DE3A22300E7967E3E2F6DE115AA50647377873CA6D33AC2950F597
Reporter Libranalysis
Tags:FormBook


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
3
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147486/
Detection(s):
SecuriteInfo.com.Trojan.Loader.784.17289.5012.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 14:02:18 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=meqcsq3amko2gpgw7cl54fsacms34evoftm5zqbyk7ph4c2pstsa._file
Verdict:
malicious
Similar samples:
00723545fff6ce259e729f8f1f9c7129e0d667502f94ef137bbbd9642ced4cc0
Formbook
024c67bdc81850f0d4acf648be1016358c78e21a74dbde96b0d753cffd76ffa7
Formbook
1c65b99765a161415ec44f5a6071e5c28e2a2b641e99061af07c9d34413ad5e8
Formbook
2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6
Formbook
4219d83b725625bc780dbf37cb794fb68b289697d37372ba44a496af27bc7827
Formbook
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Formbook
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
Formbook
96beadd4f79febff926c6b5071aad39d09f0a1c9d9810317d38d7ed95ce1559a
Formbook
d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f
Formbook
fbd84cb8e6af7a001f186ce8bde8bd4cb163a77113b6cee0342b148fbaf2b386
Formbook
+ 4'878 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210430-mxzqewnhls/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.111bjs.com/ccr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi 6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1185044/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/147486/

Comments