MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3
SHA3-384 hash: a400838f119060b2642eed6450af7c5d0043271cb9148b0b5f2a1892bfcb4b805225b1d79acca8278f6a45da8630aa4c
SHA1 hash: 781708f81b9d1a922c11060e8a494bc8a7471a06
MD5 hash: de964e4eddeb6ff30b6382af77de7650
humanhash: johnny-nuts-july-nebraska
File name:de964e4eddeb6ff30b6382af77de7650
Download: download sample
Signature Formbook
Create hunting rule
File size:44'544 bytes
First seen:2021-09-21 20:38:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 768:m/3VMX7xbLYCQafz+lRPsHbQTg8XjTch:cV+JL/ilRUHbQTg8Xjoh
Threatray 9'463 similar samples on MalwareBazaar
TLSH T1ED13D406B625CE16D2D54AB3CE6BD1481735DC429C01DA4B374B3F0F7C3339E899AA09
File icon (PE):PE icon
dhash icon 4730d8d4d4d83047 (3 x a310Logger, 2 x Formbook, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
de964e4eddeb6ff30b6382af77de7650
Verdict:
Malicious activity
Analysis date:
2021-09-21 20:40:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/03809cff-996e-46ff-a926-5524a2fc3dbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190000/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37611866.32022.21030.UNOFFICIAL
Create hunting rule

Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de7e16b7-616b-4695-bb24-87ea512ae009
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855217
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487649 Sample: TRJViVkvTr Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 52 www.firsttastetogo.com 2->52 54 www.twitter.com 2->54 56 4 other IPs or domains 2->56 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 5 other signatures 2->84 11 TRJViVkvTr.exe 15 6 2->11         started        signatures3 process4 dnsIp5 76 store2.gofile.io 31.14.69.10, 443, 49685 LINKER-ASFR Virgin Islands (BRITISH) 11->76 46 C:\Users\user\AppData\...\TRJViVkvTr.exe, PE32 11->46 dropped 48 C:\Users\...\TRJViVkvTr.exe:Zone.Identifier, ASCII 11->48 dropped 50 C:\Users\user\AppData\...\TRJViVkvTr.exe.log, ASCII 11->50 dropped 15 TRJViVkvTr.exe 11->15         started        18 powershell.exe 17 11->18         started        21 powershell.exe 17 11->21         started        23 2 other processes 11->23 file6 process7 dnsIp8 98 Multi AV Scanner detection for dropped file 15->98 100 Machine Learning detection for dropped file 15->100 102 Modifies the context of a thread in another process (thread injection) 15->102 104 4 other signatures 15->104 25 explorer.exe 15->25 injected 58 www.facebook.com 18->58 60 star-mini.c10r.facebook.com 18->60 29 conhost.exe 18->29         started        62 www.twitter.com 21->62 64 twitter.com 21->64 31 conhost.exe 21->31         started        66 192.168.2.1 unknown unknown 23->66 68 www.google.com 23->68 33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        signatures9 process10 dnsIp11 70 www.jastalks.com 208.91.197.91, 49686, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 25->70 72 www.conanagent.icu 99.83.154.118, 49688, 80 AMAZON-02US United States 25->72 74 2 other IPs or domains 25->74 94 System process connects to network (likely due to code injection or exploit) 25->94 96 Uses netstat to query active network connections and open ports 25->96 37 NETSTAT.EXE 25->37         started        40 autofmt.exe 25->40         started        signatures12 process13 signatures14 86 Self deletion via cmd delete 37->86 88 Modifies the context of a thread in another process (thread injection) 37->88 90 Maps a DLL or memory area into another process 37->90 92 Tries to detect virtualization through RDTSC time measurements 37->92 42 cmd.exe 37->42         started        process15 process16 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 13:34:43 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
006dac8da13a28a8c98c6ec8ef112ee55544e0c4676cd2ffb393cb3cd66ebe15
Formbook
42c87021e56190f67716d25a66a6542bd352a66c6c352d74c60af681a187d336
Formbook
475032f04ff405e24ecc5e2a93fb9c0c5fc037cc59e06b1772a8e60bc2dcadd1
Formbook
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
Formbook
818b8b831f3c774e034e2794f1eae71f62f5388355916e948b472cfdac7f5508
Formbook
984ad48db84dccbf4d978f50b0cad2c0f2eb4a256cc5f3b470facf3e411283ae
Formbook
a56e9e3fc6d7b412b1e9cf5dff739358849779b3c80df268ade3d9da79bd5da5
Formbook
c991bf983458f62d5c6fe6dd695b5d7e13a07a35228cd0b677afd6b6da6a5e1a
Formbook
d9cc0ba64d20a3a60f1580c74ff1269f5b545a0abf23362cbc678b12057a6cf3
Formbook
+ 9'453 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o4ms rat spyware stealer trojan
Link:
https://tria.ge/reports/210921-ze9y5sddam/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nocodehost.com/o4ms/
Unpacked files
SH256 hash:
6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3
MD5 hash:
de964e4eddeb6ff30b6382af77de7650
SHA1 hash:
781708f81b9d1a922c11060e8a494bc8a7471a06
Link:
https://www.unpac.me/results/5125f1c3-ca81-491f-a3f6-eace1b9983de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6bb272687077dd72fd43ff97e4883a202c4a041cccf94b6df1876820d69418f3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1638745/
Cape
Cape
https://www.capesandbox.com/analysis/190000/

Comments


Avatar
zbet commented on 2021-09-21 20:38:31 UTC

url : hxxp://52.58.97.51/4r/u/product_specifications_details_20210650_rfq.exe