MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0
SHA3-384 hash: 9810e8bed4d3e05f8377a263c798466d09942137ce13b34eec55549848e6ecb5e9b60bb66893236cba56ce1818a18157
SHA1 hash: 5b549a9bcfce892fa4301c21d130ce15ec0ed8f4
MD5 hash: 4436c17da6243ac8a54e75d73551a372
humanhash: angel-sodium-connecticut-skylark
File name:HALKBANK.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:653'312 bytes
First seen:2022-05-09 14:10:43 UTC
Last seen:2022-05-09 14:54:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:rXZp2L2IMe99HdGKUMXI8rUgAcj6S5ZO6+kMaaY5GQrwfJXhd:bz26e9/GKQ8rUYj6S5ZR+kMTJQc
Threatray 15'797 similar samples on MalwareBazaar
TLSH T1A0D41219BAAA4366D637E7F16460634003F72E6DB9A2F35A1EC037DF01E67620605F63
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe FormBook geo Halkbank TUR

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
HALKBANK.exe
Verdict:
Malicious activity
Analysis date:
2022-05-09 18:52:32 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/57be655f-4a96-4a17-a18b-62e6b6464d2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.49659.7864.12258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627920febe0219041a887246/reports/c9789356-c885-4e88-85e0-f6ab541571dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8017d336-063c-4ab0-807d-1fecbcee4bf9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990226
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622723 Sample: HALKBANK.exe Startdate: 09/05/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 10 HALKBANK.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\HALKBANK.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 HALKBANK.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 mellmagment.com 143.95.33.96, 49779, 80 ASMALLORANGE1US United States 17->30 32 www.mellmagment.com 17->32 34 www.dtdblockchain.com 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 control.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 14:11:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oacahc3sbyxkwgb3hs2ygjtbumqyp6gyyx2udw5gcjyairks7xqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3c57ec7ea03791fee9e9c337171a74420550482bb9c1e626aeb7e183bcf4b195
Formbook
7b3be400d99b473afc9f2bdf46477b61736a71db20cd9d1137b0cab4d4aaeff9
Formbook
9ce0d52eefea098cc0d81975729ac54582ef202a036cb926f886e0b8cb9ae869
Formbook
a9915e261e819e5388755f6e20a93b55c096eb7b81b930c7212a77be734a97b2
Formbook
e677af4720b0b6402c8b677265968541dfa6b57f12578f7701ac840bd1f0889f
Formbook
e9a5fa1e217bd7dbbb5b055250c3818d3372a77cfe3cb2f397e251583accfd6f
Formbook
f6acdf84ba27d835f11aaeaf29f71eab77a592fb6fea7a06d76bcd1d9228171c
Formbook
fd47fb1d9ae6d4fa2d64afcc600498076f0f8803cb134782723c4a8bd0ae81b4
Formbook
+ 15'787 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e2e9 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220509-rg9r6agdbj/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
5b01f027a64f907e5edcfc4ef22a4ae21dc30e773a589666fbb8a2f390ff1d21
MD5 hash:
ae141b03315976e3091a050af64b1bf7
SHA1 hash:
3f795dc025e5ee92c40ea0b124b8eb09b7d390be
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6caa73be-144d-4bcf-9eec-fcb7686c6c2a/
Parent samples :
7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0
4c2507937c1200a3bcb04401ec42295d72d7af0d6b1d075c60087390cbab046b
c1540d2557099f8a3561fcc3dfac32acf8ca040c06737dfe0737e1a5fd1165ac
662165b7a33508c0c6f00d3d37d68094610bf0c2b791491aeb5b544f52fc6c8a
7c27342f6a474daabf28ddcdee497ac8495ce0ce6f84410f11dfb48766073c42
669281f9aa118bef43b360b346e7954d6e1e9f04da0c8bff68387a2730c8e928
ea4cefb64ba4ac3c6cb07588225a86c3b98c162d63bf678c44381f313730172f
cd39064e2db9b7568fff7a58cc14153d1f45fa6060f301cbcf56c13106922a69
SH256 hash:
cc8870b5e6e489c86e4ead64d61590678ff751a156b6d1682e0f7147635b5c05
MD5 hash:
02bde3af7d9427d0491b0b2acb7933df
SHA1 hash:
b8c6643062c335cb21c8131ed0f894651a262758
Link:
https://www.unpac.me/results/6caa73be-144d-4bcf-9eec-fcb7686c6c2a/
SH256 hash:
da53d6cc03067a7ee38614952266dac377e38aa07fbe7cbb91b7411f1d332193
MD5 hash:
4ba75ea29d9e0fde6a4d658aab717ebf
SHA1 hash:
95c0f1f4e5a6b0e4abcee4d1d859154830d20fc8
Link:
https://www.unpac.me/results/6caa73be-144d-4bcf-9eec-fcb7686c6c2a/
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
Link:
https://www.unpac.me/results/6caa73be-144d-4bcf-9eec-fcb7686c6c2a/
SH256 hash:
7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0
MD5 hash:
4436c17da6243ac8a54e75d73551a372
SHA1 hash:
5b549a9bcfce892fa4301c21d130ce15ec0ed8f4
Link:
https://www.unpac.me/results/6caa73be-144d-4bcf-9eec-fcb7686c6c2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7004038b720e2eab183b3cb5832661a32187f8d8c5f541dba61270044552fde0

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments