MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246
SHA3-384 hash: 8b80d02bcacc90543e007e33fac246cd4630d1d34cace4553282b08394d3eaa56078101009a5ff98907bdf5350828096
SHA1 hash: a4aa1936e37983016bb4b293a71dad91b9b30a5f
MD5 hash: 092dad26e1004c5f1fba64361411bc08
humanhash: kansas-vermont-wyoming-may
File name:092dad26e1004c5f1fba64361411bc08.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:953'856 bytes
First seen:2021-02-10 08:22:41 UTC
Last seen:2021-02-10 10:15:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0K2vymu08RI0xnB0jQw5CKQW2xVNtmJ9GpoU:0xqBItEw5/QW2xVm2po
Threatray 3'793 similar samples on MalwareBazaar
TLSH F615BE2DF659BA31F0AC7A3A89B0937082BE8C429521D92F3DD932DF4571ADC44D7E42
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
092dad26e1004c5f1fba64361411bc08.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-10 08:24:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e87593e-f98c-43fa-8ce6-c103fcebcd8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116427/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.537.26510.12602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/604081
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 351039 Sample: eYwQ9loD5Q.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 100 31 www.book-ly.com 2->31 33 book-ly.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 11 eYwQ9loD5Q.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\eYwQ9loD5Q.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 15 eYwQ9loD5Q.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 taichi-symmetry.com 34.102.136.180, 49753, 80 GOOGLEUS United States 18->35 37 www.chilewindow.com 23.230.59.164, 49752, 80 EGIHOSTINGUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 08:23:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsf6sypztk2nojvgcwxviiibul3l3by45cub45hykibwlaa7sjda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01d1722f7b547ae7024d2cb81993305f9d6aca06a1a3a32d230f9f630579327e
Formbook
25cd952df9c74033229ec91a5da330e392390ca6120db46d9ab21d3120c9011c
Formbook
28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069
Formbook
57f501264360e52cdc77696ff96c77b47ecad9ceb41cd0210cf2f3809bebafc8
Formbook
970aa1ea39079684830789ad8c5c9cbf9777b65fdb44130aa8bbe4b88245e6fc
Formbook
b03882c148ef48dc1d78f6635b795e816bde09b783221cc4cd05040839144fd0
Formbook
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Formbook
cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167
Formbook
f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
Formbook
fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e
Formbook
+ 3'783 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210210-vm1rprn3tn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zunebox.com/lsp/
Unpacked files
SH256 hash:
90c8d1837762858512c85c8967e3b9e91fc58bddd609d417711aec39242905b7
MD5 hash:
0aa09944f1298c49a2f96faffa8cf5b9
SHA1 hash:
2220f941557ecfe383dee4b977ddc4b4a78dc263
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0156eb67-8278-4d51-9556-24ce417ab667/
Parent samples :
b03882c148ef48dc1d78f6635b795e816bde09b783221cc4cd05040839144fd0
6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246
SH256 hash:
1d0bc6ceb1d5f8d91f6a3f639d1faf21c41b91e07baabbd166047aae29a3f2a9
MD5 hash:
85c979fe4da1dd7d6924f620787e6059
SHA1 hash:
62a97767a3669a35870e6bf1cb6ef019aaa0f95b
Link:
https://www.unpac.me/results/0156eb67-8278-4d51-9556-24ce417ab667/
SH256 hash:
4e359ee36cf42d852d050ea1704230853b36c650669c2f2c01b3ee9290bf9967
MD5 hash:
e0c01f4b6f900e9ba186e7416addea76
SHA1 hash:
fd21237c3df4892b363c9aa7f945e1c4f7d2cbb5
Link:
https://www.unpac.me/results/0156eb67-8278-4d51-9556-24ce417ab667/
SH256 hash:
21f0cb731e00738d89000b3ba8161a20420a627a0ccf1052f0d3a83b18563162
MD5 hash:
42464fb3838d7abe682494ee96335ace
SHA1 hash:
3938358b9ac2a665585f327d352f919921c3fec8
Link:
https://www.unpac.me/results/0156eb67-8278-4d51-9556-24ce417ab667/
SH256 hash:
6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246
MD5 hash:
092dad26e1004c5f1fba64361411bc08
SHA1 hash:
a4aa1936e37983016bb4b293a71dad91b9b30a5f
Link:
https://www.unpac.me/results/0156eb67-8278-4d51-9556-24ce417ab667/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6c8be961f99ab4d726a615af542101a2f6bd871ce8a81e74f8520365801f9246

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/996724/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116427/

Comments