MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677
SHA3-384 hash:	349844631c244844a67926652939ea33f4d792ca6c7480dca33f147924fddcf00e80eb8b3f81859ae666b423e6b1d8ec
SHA1 hash:	25eb7312a33a4766d42987e93d84cbbe08ad55c2
MD5 hash:	59232cb7abe67e8ea52d8d9ca18beba0
humanhash:	jersey-river-video-mirror
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.1521.20573.5030
Download:	download sample
Signature	Formbook Create hunting rule
File size:	240'009 bytes
First seen:	2021-06-02 07:55:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:8Qq+usy9h2Y7jjdABrziT/YuVLS8kvne/s5VaCLgZxliwvqWa/p:TEEY7jwrzQNxSremYCU3jvqWQp
Threatray	5'546 similar samples on MalwareBazaar
TLSH	FD34226DA3E0C6FFF40A9A331437EB79C97F5630330522A73B2A5F4626285C3594D2A1
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Gen.Variant.Nemesis.1521.20573.5030

Verdict:

Malicious activity

Analysis date:

2021-06-02 07:59:14 UTC

Tags:

installer

Link:

https://app.any.run/tasks/f4335a9f-a668-4e27-943a-32328895b5cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/163955/

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.1521.20573.5030.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

DNS request

Unauthorized injection to a recently created process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/795698

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677/

Threat name:

Win32.Worm.SpyBot

Status:

Malicious

First seen:

2021-06-01 21:36:53 UTC

AV detection:

13 of 47 (27.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oqbyyw55xxwsjzlx23aidwep5pszonkunwicgi5dcdrotu7wmz3q._file

Verdict:

malicious

Label(s):

formbook

Formbook

3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461

Formbook

4d90c368dbb4c085f00a9d323996a1c6235acd5afadcbcf935d0b56a432a3410

Formbook

744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc

Formbook

78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c

Formbook

82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886

Formbook

ad2a5569cb14f86fe191f54f6fecb7bf1fe389418858f5fc72e6367c9780a9f0

Formbook

ae5df8905dd1b9de509e6764dea4c5571916b1705a129bddf2f5e2e554552acb

Formbook

d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897

Formbook

e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267

Formbook

+ 5'536 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210602-maw4zvemze/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.knighttechinca.com/dxe/

Unpacked files

SH256 hash:

74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677

MD5 hash:

59232cb7abe67e8ea52d8d9ca18beba0

SHA1 hash:

25eb7312a33a4766d42987e93d84cbbe08ad55c2

Link:

https://www.unpac.me/results/2f8e5561-759a-4e28-aa16-aaf1600e494b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/163955/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample