MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0
SHA3-384 hash:	c3a0a8f972f9ce112e8a6a0e5e7937c6b7f8bbf366d13ade0e50bad8b75c1cf9b28feae5bb8faa2345d91665f16bbaba
SHA1 hash:	864e3c954966ef5b2d75fbf6ef7e23c8c465f637
MD5 hash:	27e700882d8c8b6e574a99a4deb36b07
humanhash:	fillet-shade-nitrogen-nineteen
File name:	6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0
Download:	download sample
Signature	Formbook Create hunting rule
File size:	749'056 bytes
First seen:	2023-01-10 12:48:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:/mx2cHss/S+PB45DDoSivV662cFRA54R/KEA9UMlDR+Gac42xtAq:ex2cHs6SqazivV6+zA54dlAeM1RP42np
TLSH	T112F41283312D4B26D36C3B7260F593203B66BE316463DA9EAEC5B5CB46B37918E30553
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0

Verdict:

Malicious activity

Analysis date:

2023-01-10 12:47:28 UTC

Tags:

formbook xloader trojan stealer

Link:

https://app.any.run/tasks/5e895760-a999-4300-84cd-bbe19b493f81

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/351520/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.48217.UNOFFICIAL

Win.Dropper.Formbook-9982291-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Searching for synchronization primitives

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/63bd5ec00fdf1633326e26ae/reports/151c421f-b30b-410d-b06f-5884482d2982/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b9d48e83-40cc-4e71-8072-9b8a5ad5edce

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1148734

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-01-10 12:49:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 41 (63.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nx4hg5uwstxttahc4goyyzl6jwmtsofzzhxisevjl6bqe7y2f2qa._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:a19i rat spyware stealer trojan

Link:

https://tria.ge/reports/230110-p2cbaaga78/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook payload

Formbook

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3915b2a0-c1ae-490d-990d-0b06e0b049b7

Unpacked files

SH256 hash:

cce4a21afc74d7d48d862af5b0d8598fcd213ce5d331176dfa12257f43813ecd

MD5 hash:

44bf97f71cc12eca3ce5612ffabf366c

SHA1 hash:

909a19c4d99ef46ed6661902a30cefb3a2992d94

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/67869c50-5485-4f1d-a5a2-fe72e2c220c1/

Parent samples :

cc306bb2d4ff7a9b6a4526abfe0ee05610bc1f34f8c4b96f465c44412558516f
9bdc185c4c52ab97921a7d99b7bfe6e22ac5be828d999b19e41983b3c79af0c9
3aec0a3b707390b1a000b0e7a6deb3bd7b8f84109b4335be6809694453fadc4c
6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0
ab3c843f0e9a542dad1b81078283a788da46aa9cc99b63434cca85737d982d94
0ae02ccb00f91c7e5c7eab7f893c859e533a294dc868ee3c43904e5f835b97bc

SH256 hash:

028c997208a38983a8f3c14e30a724b931eff6c61665be6a9f6a97d1cdd43fc7

MD5 hash:

f2f525bdfbc708f65321490cf1296ac9

SHA1 hash:

cd96e4e0b0013a8bf6d060c0db199a6a8175d657

Link:

https://www.unpac.me/results/67869c50-5485-4f1d-a5a2-fe72e2c220c1/

SH256 hash:

22a99e2740dcb5fcab542cb6ee33472a01b8f226f76e031e31b9f00ca1b08b8c

MD5 hash:

bb7995fc982c684be3ddc978e7853bca

SHA1 hash:

b5b9064f2f4ca6b8fa9646700d0bb7d0e0acbd55

Link:

https://www.unpac.me/results/67869c50-5485-4f1d-a5a2-fe72e2c220c1/

SH256 hash:

98fd2c2dbb5770c67d1e8897bb11ced8909b7b3a7248055b964737d406e713eb

MD5 hash:

aa87f95ebb7337c6e0aa648bbdcb7724

SHA1 hash:

3beb897cb3f10f56cd184049a12e4760e28b9f0a

Link:

https://www.unpac.me/results/67869c50-5485-4f1d-a5a2-fe72e2c220c1/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/67869c50-5485-4f1d-a5a2-fe72e2c220c1/

SH256 hash:

6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0

MD5 hash:

27e700882d8c8b6e574a99a4deb36b07

SHA1 hash:

864e3c954966ef5b2d75fbf6ef7e23c8c465f637

Link:

https://www.unpac.me/results/67869c50-5485-4f1d-a5a2-fe72e2c220c1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/6df873769694ef3980e2e19d8c657e4d993938b9c9ee8912a95f83027f1a2ea0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/351520/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample