MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138
SHA3-384 hash: 9aedf2c3a499c58edcdc825e0721b37d7ea7ff02effa42fe3b0ce9c623cfdf4324c7f66d5e312f203cc28c394bf45066
SHA1 hash: 8bd76892daa48782a8571491ed299477d150bbf1
MD5 hash: f6f1800d0147b3bbc7b32048e4da21d2
humanhash: zebra-december-georgia-ink
File name:f6f1800d0147b3bbc7b32048e4da21d2
Download: download sample
Signature Formbook
Create hunting rule
File size:719'872 bytes
First seen:2021-09-30 16:01:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:YJnnbQ+X8+UiDLbRHahlUBlNgfFq4Nw8PYzSEvnvTl9Dn14V3qX5rpEhY:ybQ+X8+UiDLbRHahlU/Noq4Nwzx32Vwo
Threatray 9'777 similar samples on MalwareBazaar
TLSH T17FE48B54F11CD2B9FE0822B1263DFCD815F82EA8147DF91BBA97B1E224B9E3154B0197
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f6f1800d0147b3bbc7b32048e4da21d2
Verdict:
Suspicious activity
Analysis date:
2021-09-30 20:57:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5bd3ecd5-ad16-4e1f-9300-e7edc68f5fc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193737/
Detection(s):
SecuriteInfo.com.Variant.Fonctuzim.1.13267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ed68079-ba8e-4d1d-8266-185a9c49d82e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862064
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494492 Sample: 7ZU9e28pVT Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 32 www.getmorevacations.com 2->32 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 11 7ZU9e28pVT.exe 3 2->11         started        signatures3 process4 signatures5 60 Tries to detect virtualization through RDTSC time measurements 11->60 62 Injects a PE file into a foreign processes 11->62 14 7ZU9e28pVT.exe 11->14         started        17 7ZU9e28pVT.exe 11->17         started        19 7ZU9e28pVT.exe 11->19         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected process8 dnsIp9 34 a.mb.cn 8.212.24.67, 49831, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 21->34 36 www.kangrungao.com 21->36 38 www.gvlc0.club 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 50 Uses netsh to modify the Windows network and firewall settings 21->50 25 netsh.exe 21->25         started        signatures10 process11 signatures12 52 Self deletion via cmd delete 25->52 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-30 14:49:52 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
Formbook
807ddfd4b164d8e8bb8e0fdc0976db33ae55b021aa7917848a35963c6a4846aa
Formbook
972f5e016ffc306524d7083a5a5058ba8b5fc60f3db9f3c0915db59c0523a487
Formbook
9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
Formbook
a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
Formbook
b11a7103f96fb02a8df7ad0e821f0083f48f56cc38df47d8573f39c0d4a19235
Formbook
d2d6a8c31acdd92eb9a005e2fac8838a382ab0425fc01bc88616bda185ab7b4c
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
Formbook
eca9be257354d26e49e1b03d1b8d42228cf66b5ee1b1236afad3c348da43c48b
Formbook
+ 9'767 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:vngb rat spyware stealer trojan
Link:
https://tria.ge/reports/210930-tgsjzsabgm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.gvlc0.club/vngb/
Unpacked files
SH256 hash:
30bff6ba90d2c7fc2ac3ccea91114e065fdefe50ad6fe6ef138474b97f9a239c
MD5 hash:
1a5dcd16664deb20e8c611b2ba5c29d1
SHA1 hash:
97f2a1160cb5735136947807dc563fb1a2d2928c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/55603d5d-d102-4159-8b21-9c0e6531a165/
Parent samples :
e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138
fedeb19031bcc0941b0943dd3ed45ee6095b8c489c072c85e513b414abf8acf5
694b9ea09a47c2f24b47c60ddff0a0537828e8ba964c0ad0045b9862bce37d42
a68cb3bf1d9d41e29fcf2e4391e827591e58783cea5a13fe95403fb6b3429b5d
27b73d13a548e7501e9e2de62382122adacf550f464c1139994cabf7265b8ee4
30c4d8cc68cc16af698b521cf9e31a8540f0c5cce8e2d66e874fc62a87dae393
882d1b405632e01ab063253e2a0f647ff2587fe879e6b90e03b59226e36c8fe8
94ba0bcb6b19c2d7cec1891c5b5c52d60d7de643321429991605b86e26f8b032
5cf30c00d7d4d16229204e0c969f26a1a0fa2f0067818d518a81d97123e277d9
SH256 hash:
90ef7729cc5d1333527b16918f74b6b741433902613977560e63404fd5ce18d4
MD5 hash:
90bec9b0f9b72dbcb6e4943adfca61d0
SHA1 hash:
7cda583dede0b41b8cc570cb8dc788c56742f788
Link:
https://www.unpac.me/results/55603d5d-d102-4159-8b21-9c0e6531a165/
SH256 hash:
6fef8420a8bd6a90cfe7ac8aeb0e3811422b9b6cb9e0b14ea03f5236438f72ba
MD5 hash:
10c7772f435231d58046e0dc34def127
SHA1 hash:
38c8f9ffb5136848d62582ef41bab6c810121c74
Link:
https://www.unpac.me/results/55603d5d-d102-4159-8b21-9c0e6531a165/
SH256 hash:
f7d272daf3522f99ca67b99bfe557564baba239104c7f20cef842f2e870bdf28
MD5 hash:
cceaca53d81061c0f1c6cf35ca7bf34b
SHA1 hash:
23ba45b249e0e4bdc5a8d4b4b07e2f7509cf85be
Link:
https://www.unpac.me/results/55603d5d-d102-4159-8b21-9c0e6531a165/
SH256 hash:
3222916ad76028f3906c296f18e075833e325ec71450e789a1f7b52f32711455
MD5 hash:
17f2d4b66050971006046f89acbdbc86
SHA1 hash:
180e83a9a7ad53034b2629c324198e14c621b310
Link:
https://www.unpac.me/results/55603d5d-d102-4159-8b21-9c0e6531a165/
SH256 hash:
638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138
MD5 hash:
f6f1800d0147b3bbc7b32048e4da21d2
SHA1 hash:
8bd76892daa48782a8571491ed299477d150bbf1
Link:
https://www.unpac.me/results/55603d5d-d102-4159-8b21-9c0e6531a165/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/638394ba0aa5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1649279/
Cape
Cape
https://www.capesandbox.com/analysis/193737/

Comments


Avatar
zbet commented on 2021-09-30 16:01:15 UTC

url : hxxp://lg-tv.tk/D776885863728261937.PDF.exe