MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
SHA3-384 hash: 69a19846b8c1cb0fbbae9382d08694e138efe523d61089cb09808b12d60d35227c5770a2d38d9a37fe58205612014548
SHA1 hash: be235c4800548dddf216d72b5c3e22024f6be642
MD5 hash: fa0d69a3ff0a272e9e16c1fcac400a6a
humanhash: burger-twelve-cup-foxtrot
File name:fa0d69a3ff0a272e9e16c1fcac400a6a
Download: download sample
Signature Formbook
Create hunting rule
File size:978'432 bytes
First seen:2021-06-22 13:41:24 UTC
Last seen:2021-06-22 14:42:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:skEWFHmuuSMPQipP5CTV5jyYA+XyprkzSHja6op+DrbdF+txzN9Y:XHFRiphWXerkzoja6opSd2zjY
Threatray 5'956 similar samples on MalwareBazaar
TLSH D625A0120ECF422EE2755EB657B0EC87C3756EA62A05B2113EC031ADC9375EADCEE511
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fa0d69a3ff0a272e9e16c1fcac400a6a
Verdict:
Suspicious activity
Analysis date:
2021-06-22 13:43:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87a1885e-29dd-410c-bc22-b8a92147ab27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167580/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader39.59262.27993.32422.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/203fd39d-eff0-4380-bf5e-022661e3381d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805990
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438403 Sample: 9pwzkYTvAd Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 9 other signatures 2->46 9 9pwzkYTvAd.exe 3 2->9         started        13 explorer.exe 2->13         started        process3 dnsIp4 28 C:\Users\user\AppData\...\9pwzkYTvAd.exe.log, ASCII 9->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 9->54 16 9pwzkYTvAd.exe 9->16         started        19 9pwzkYTvAd.exe 9->19         started        30 www.couplealamo.icu 13->30 56 System process connects to network (likely due to code injection or exploit) 13->56 file5 signatures6 process7 signatures8 32 Modifies the context of a thread in another process (thread injection) 16->32 34 Maps a DLL or memory area into another process 16->34 36 Sample uses process hollowing technique 16->36 38 Queues an APC in another process (thread injection) 16->38 21 rundll32.exe 16->21         started        process9 signatures10 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process11 process12 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 13:17:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05d6308da69a011a5f95088f5ae7d68aa09e430b05c169dc53d701776b08dd62
Formbook
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
Formbook
25644ff35da89545c702b633182c4ff1f649dd64c9c8249be9afe7090359d87d
Formbook
7f6694752a3e50d4f811fb5c807f305ba5c4b422c3fa10468132575c6c2505b6
Formbook
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
Formbook
af9e4af9e1c7c2991d0fe0e5eedd11a819cb5d697ef75606ae620f3b7fd20775
Formbook
b35de004189f271fe754dd614e5fbbc299425f5aca9ebf1f935bf26696964853
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f
Formbook
f5b24f949895b74aa3b6bbb47e215f55f1846bf82bf462db83eff295e72fb5f7
Formbook
+ 5'946 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210622-2seh214qse/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.rocketschool.net/nf2/
Unpacked files
SH256 hash:
d67162a309f55532671d0762050843f142e5b1f35ceba5a1e865823d586b0f72
MD5 hash:
6c7cf78859b540457a288ff6d2a9be87
SHA1 hash:
2b2d017200175a18c2c64b00658d5bbe77a5b056
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/855ab4e3-5289-4066-bb12-3099e6bc0581/
Parent samples :
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
e6d2884a7f50db2cd7d453a6d2df400330be8de28394be157f92195f3d1d99d4
SH256 hash:
f735ab1a7eaeb2c7114277ea2434951ccfa06afc422f36a69af7b7383baa421b
MD5 hash:
b03ce1f646e05a8a34e9c334c4547d5f
SHA1 hash:
d881777529b42a0b7a56c5612ccb543314a7c009
Link:
https://www.unpac.me/results/855ab4e3-5289-4066-bb12-3099e6bc0581/
SH256 hash:
2266124f4013fb999cb41396a20cd1a9476f4386b153a1fcbad93f7ddeb77b87
MD5 hash:
3f3317215f71b763cebfe3de013341c7
SHA1 hash:
93375dea96ec6e4166d61d6c55a2bd5e8ab814a1
Link:
https://www.unpac.me/results/855ab4e3-5289-4066-bb12-3099e6bc0581/
SH256 hash:
6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f
MD5 hash:
fa0d69a3ff0a272e9e16c1fcac400a6a
SHA1 hash:
be235c4800548dddf216d72b5c3e22024f6be642
Link:
https://www.unpac.me/results/855ab4e3-5289-4066-bb12-3099e6bc0581/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6fc54865431fbb7c3faf9de8669eaa557aec1816eee94cfd9e63418e8e7ac74f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1388355/
Cape
Cape
https://www.capesandbox.com/analysis/167580/

Comments