MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3
SHA3-384 hash: 5a12dc700421060b55b0e143886e7fa26443ad0316c09839c8b755b2ab4f04b18a4e8cd747cf2589de9579fcae6a4836
SHA1 hash: 650674b010d83efca4a7345de18ba5875f61bbfc
MD5 hash: bd445ce54588f3ea14c6ef52fe6470e7
humanhash: nitrogen-purple-georgia-mockingbird
File name:bd445ce54588f3ea14c6ef52fe6470e7.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:274'634 bytes
First seen:2022-05-12 07:32:22 UTC
Last seen:2022-05-12 08:57:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:LOtIOhneXvag3D7xc0ZV+jhB1WiHWyOl/W+qd7e3+tG:LOLh6PD7Oz0iHWJHs7ej
Threatray 15'441 similar samples on MalwareBazaar
TLSH T187441274A2A5D773E5B217716E3A2F2FC9B3C521A550921B0310CBA878B73E1E50F687
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
http://103.207.39.170/goofy/sepat.exe
Verdict:
Malicious activity
Analysis date:
2022-05-12 08:05:06 UTC
Tags:
opendir loader formbook
Link:
https://app.any.run/tasks/73bc3281-7dca-4a64-8347-0e356554f616

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269952/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17277/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/627cb84489dc6403e7776665/reports/c8e5d5ab-be53-4cdb-8ded-3d2550ed42f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e7bd1b5-240c-4833-82aa-0ff1a4c4cdf9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992465
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624965 Sample: Rip3La7Esv.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 34 www.hsf777.com 2->34 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 6 other signatures 2->56 12 Rip3La7Esv.exe 19 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\yvksi.exe, PE32 12->32 dropped 15 yvksi.exe 12->15         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 15->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->68 70 Tries to detect virtualization through RDTSC time measurements 15->70 72 Injects a PE file into a foreign processes 15->72 18 yvksi.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 36 www.bulkheadsrestaurantgroup.com 199.59.243.200, 49797, 80 BODIS-NJUS United States 21->36 38 futternmitflo.com 192.0.78.25, 49790, 80 AUTOMATTICUS United States 21->38 40 www.futternmitflo.com 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 25 chkdsk.exe 21->25         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 03:33:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4jqnjbrvnpiol77zwmeed5uzdkobfm3chjjeoer3xbrwitcs7jq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
285e772a15413afa15e86632327faebaa56ff23d0ca19249c228b2d531e19f96
Formbook
4a7aa26a59cccaa38181f61e413214368bd2cb3b8aa9c93c8694cc7d37591a3f
Formbook
613151db2677d34450d7a67d1a78a167f3d5dade8afc2cc4e8309336857bb766
Formbook
650baaf8397e4aa4925a88c44c5ab63f5b61b4c03607eb511b3bd6dc6d98f652
Formbook
6bd24ce0a16599d97686146c6a822023f0f4896fcee914eed9a4e45a7e46b864
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
8c8afc7e873c1fc04cfc9cc2331ed6f46dad4defd1158e39f10258ee4b477758
Formbook
b49b339fee0e9543d77688426378faefab1b4fca1e310df88fb8ed376b5456d3
Formbook
cbf7dac8ee4dd46d48f7a0d6f0495d3d27ef5319fd05ace04aea7bfe96fe99c7
Formbook
f6acdf84ba27d835f11aaeaf29f71eab77a592fb6fea7a06d76bcd1d9228171c
Formbook
+ 15'431 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m0d4 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220512-jdh62abah8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
24aa4c4379956dec92396685eac1af157af242a4a29fdd5e615409c608e2d9a1
MD5 hash:
8cea7581508003c92f27c047a50cfc53
SHA1 hash:
3c04ab3b1cefea79e066c7915b3f71614ebd7183
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/59cee67a-a8a6-4bd2-b0d7-68088baab372/
Parent samples :
285e772a15413afa15e86632327faebaa56ff23d0ca19249c228b2d531e19f96
6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3
SH256 hash:
a66953ec6f5e212cce3844f0b33b6055f107f44cb6a861dd1f53b5453fc4b4fd
MD5 hash:
76b9c28755d4e41a43b8dd60a53b8871
SHA1 hash:
e5b08565d33d5f6501c7f70b3dcc9b4a87e9d73f
Link:
https://www.unpac.me/results/59cee67a-a8a6-4bd2-b0d7-68088baab372/
SH256 hash:
6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3
MD5 hash:
bd445ce54588f3ea14c6ef52fe6470e7
SHA1 hash:
650674b010d83efca4a7345de18ba5875f61bbfc
Link:
https://www.unpac.me/results/59cee67a-a8a6-4bd2-b0d7-68088baab372/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6f1306a431ab5e872fffcd98420fb4c8d4e0959b11d2923891ddc31b226297d3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2191222/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/269952/

Comments