MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 722fbb681dbb87c4fb170204b6b9374ce2c38538ef4d42a57dca2c4605abf062. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 722fbb681dbb87c4fb170204b6b9374ce2c38538ef4d42a57dca2c4605abf062
SHA3-384 hash: 41a8e529b9f3ad9867b38ddcffe92223ba7fa5b478c78f631b90ee1e7c94239fdcf3bf58ad10614f40525221a2d6e8f7
SHA1 hash: 5ef714fc10cb8e1aff9ef724c2d3b7267fca65e2
MD5 hash: a9c81d31535669f3ee4d68f26ce1f52b
humanhash: johnny-north-tango-triple
File name:a9c81d31535669f3ee4d68f26ce1f52b.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:952'832 bytes
First seen:2021-02-18 15:55:26 UTC
Last seen:2021-02-24 00:35:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 24576:RlFKLriziS1NtoqriTO8JxQSR82fDMG9f:ci/tPOTZ7v82fj
Threatray 381 similar samples on MalwareBazaar
TLSH 1315F1236288AF51E4BE4BB9CA641800C3FABE07D762E89E3DF531CE25B1F945561707
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://65.0.55.192/good/cmd2.exe
Verdict:
No threats detected
Analysis date:
2021-02-18 12:39:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92ca640f-31b4-47e4-96c6-59344ddf5394

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117833/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.545.14987.31797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611804
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354915 Sample: qVFdxqtWGo.exe Startdate: 18/02/2021 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 6 other signatures 2->25 6 qVFdxqtWGo.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\qVFdxqtWGo.exe.log, ASCII 6->17 dropped 9 qVFdxqtWGo.exe 6->9         started        11 qVFdxqtWGo.exe 6->11         started        13 qVFdxqtWGo.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/722fbb681dbb87c4fb170204b6b9374ce2c38538ef4d42a57dca2c4605abf062/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 14:20:46 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oix3w2a5xod4j6yxaiclnojxjtrmhbjy55gufjl5ziwembnl6bra._file
Verdict:
malicious
Similar samples:
134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
Formbook
2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14
Formbook
427102cfb84006044ecb4a6e42daaceb66f01c098c6a848106f30a2ce22dd5c4
Formbook
5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079
Formbook
608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7
Formbook
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
Formbook
9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
Formbook
a798b16a0757f66a69a632fa0b55e1ec08bb4e34dd93f67ebfc405fc583b78e6
Formbook
d8c285b8cbdafee6b30293d64b2ca92f9fb086247cb906a84c2ba13c364132ca
Formbook
e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae
Formbook
+ 371 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210218-x2elxrxxe2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
b2f91d1427c7b60a3ad485bed04ba75636560783c9265a8f26542d5f6aa5d8a9
MD5 hash:
5ad6dc03137fc80e4e691f4b409d9120
SHA1 hash:
edb38e49ce79ecce33ce9a891df56468c3a4016e
Link:
https://www.unpac.me/results/2ceffb38-6aac-4443-b813-28f1811ebe78/
SH256 hash:
722fbb681dbb87c4fb170204b6b9374ce2c38538ef4d42a57dca2c4605abf062
MD5 hash:
a9c81d31535669f3ee4d68f26ce1f52b
SHA1 hash:
5ef714fc10cb8e1aff9ef724c2d3b7267fca65e2
Link:
https://www.unpac.me/results/2ceffb38-6aac-4443-b813-28f1811ebe78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/722fbb681dbb87c4fb170204b6b9374ce2c38538ef4d42a57dca2c4605abf062

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 722fbb681dbb87c4fb170204b6b9374ce2c38538ef4d42a57dca2c4605abf062

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1017036/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117833/

Comments