MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810
SHA3-384 hash: 56752f62499e4b2b2d4f6bac2ab18d1ef53d1e91bca66bcb1fde1c835e570260e24eeac5425d5099e7a9548c4a352f65
SHA1 hash: ab944ab0fcc777be29c2bd38057cdffbed31685e
MD5 hash: a61dd697d5cb556a810859ea39431f89
humanhash: oregon-alaska-november-whiskey
File name:ANSI 标准阀门要求和报价详情.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'606'144 bytes
First seen:2021-07-15 05:41:21 UTC
Last seen:2021-07-15 06:44:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:3Co2vCM808C5SWpBiu4R9wcc43cH9i2U6GH:SoC85EnpBiV718FG
Threatray 6'448 similar samples on MalwareBazaar
TLSH T13B758E3EAA682AABE73FD17445830014F4BD89DA36314CD746C73588666D9027EEF36C
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ANSI 标准阀门要求和报价详情.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-15 05:43:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e70f0d6-c9aa-453a-ba52-bc23a10f47fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171858/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12572.16347.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d3e34777-9d9b-4087-b962-068c98f51d09
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816664
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449075 Sample: ANSI #U6807#U51c6#U9600#U95... Startdate: 15/07/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 5 other signatures 2->42 10 ANSI #U6807#U51c6#U9600#U95e8#U8981#U6c42#U548c#U62a5#U4ef7#U8be6#U60c5.exe 3 2->10         started        process3 file4 28 ANSI #U6807#U51c6#...U8be6#U60c5.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 ANSI #U6807#U51c6#U9600#U95e8#U8981#U6c42#U548c#U62a5#U4ef7#U8be6#U60c5.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.ghost1ksa.com 172.67.215.56, 49725, 80 CLOUDFLARENETUS United States 17->30 32 pariscod.com 45.130.231.65, 49724, 80 AS-HOSTINGERLT Germany 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 colorcpl.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 05:42:05 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfslf3bpwnot2i2dnmzknfn6w4urpmx5ywftdepc3gud4lfkzaia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1fc7c86df7aa45224f6c8f4a94513663dfe77dc79603a0c1325736c376aa68e2
Formbook
25644ff35da89545c702b633182c4ff1f649dd64c9c8249be9afe7090359d87d
Formbook
311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97
Formbook
3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461
Formbook
473ec4f2b7a198ff36e66b86cbc05848883b4dffeaacb8b9c97e67e88e977986
Formbook
6e71e82dcb056af810baae26909b712ec2dc1610bbf8ebbee00b62f9bb2b3189
Formbook
c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c
Formbook
d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897
Formbook
eb3f64ec577c51957dfd0c55a431209e947c281c3a2a1f2d8514666530a0e608
Formbook
+ 6'438 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210715-xv1fjeqtme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
c4acfbab042fc79ae2dd1d90f0d4769437c83b93507fef8095fff44c5c807647
MD5 hash:
cc99435f5a8adf19e4dc5e7251f7393a
SHA1 hash:
1e9b0c20d4a9901b33c4f3290a17b7222440a3f6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4ad9a033-ec66-4416-a7e1-bf7db0559101/
Parent samples :
473ec4f2b7a198ff36e66b86cbc05848883b4dffeaacb8b9c97e67e88e977986
1fc7c86df7aa45224f6c8f4a94513663dfe77dc79603a0c1325736c376aa68e2
6e71e82dcb056af810baae26909b712ec2dc1610bbf8ebbee00b62f9bb2b3189
311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97
6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/4ad9a033-ec66-4416-a7e1-bf7db0559101/
SH256 hash:
6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810
MD5 hash:
a61dd697d5cb556a810859ea39431f89
SHA1 hash:
ab944ab0fcc777be29c2bd38057cdffbed31685e
Link:
https://www.unpac.me/results/4ad9a033-ec66-4416-a7e1-bf7db0559101/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6164b2ec2fb35d3d23436b32a695beb72917b2fdc58b3191e2d9a83e2caac810

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/171858/

Comments