MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69c160253f4c576461da2234cc0ae8518251e398f91ce74d7c061db04b4470ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	69c160253f4c576461da2234cc0ae8518251e398f91ce74d7c061db04b4470ef
SHA3-384 hash:	da597e79a14efd6a257669d5e4ca155d2594498843f906f2f9fc7f2093353a00d1365fcf9086800d96302801b60a9aa2
SHA1 hash:	50a69764fa4a2102846ac30b4e97d648f8551669
MD5 hash:	337f5b2155673a2f47f61fca15dfec9a
humanhash:	pasta-spring-uniform-five
File name:	SecuriteInfo.com.Scr.Malcodegdn30.28603.3448
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'925'120 bytes
First seen:	2021-05-16 18:34:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:UIG0QIXTplzK83++zKh2AVIz5t9S79I3zWd:UIJQIX/bzZAVo52h
Threatray	5'175 similar samples on MalwareBazaar
TLSH	6495C2FE2101E6A5F4152ABF09A3A8C1C3ECA81339D175DE518C776DD9AF93B163340A
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Scr.Malcodegdn30.28603.3448

Verdict:

Suspicious activity

Analysis date:

2021-05-16 18:36:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a5d81e81-9a8e-40f5-a5c8-547b4ca4fb3d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/157633/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/783085

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/69c160253f4c576461da2234cc0ae8518251e398f91ce74d7c061db04b4470ef/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-05-16 17:08:45 UTC

AV detection:

11 of 29 (37.93%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nhawajj7jrlwiyo2ei2mycxikgbfdy4y7eoootl4ayo3as2eodxq._file

Verdict:

malicious

Label(s):

formbook

Formbook

6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4

Formbook

7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

Formbook

851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376

Formbook

96beadd4f79febff926c6b5071aad39d09f0a1c9d9810317d38d7ed95ce1559a

Formbook

9c9dfbf8c44bbe594498ebf93efd84fcf73d66d9c6d5b86e9979afe5e9e9330c

Formbook

b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2

Formbook

c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f

Formbook

+ 5'165 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210516-e6yb6v7qpe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.intelliedgeclinical.net/god/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/69c160253f4c576461da2234cc0ae8518251e398f91ce74d7c061db04b4470ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/157633/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample