MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655
SHA3-384 hash: 15853d3514239853448198dfe1922274ce6501032d7e69e90c40112844ea1d0f91a62da596e59d5426c7648463c9dda1
SHA1 hash: 327ab1c59d2effd8dba8a8f0c07bbe94b99d330f
MD5 hash: be7eaf17f2d57b727d2d0f3390626a7d
humanhash: moon-shade-wolfram-cold
File name:be7eaf17f2d57b727d2d0f3390626a7d
Download: download sample
Signature Formbook
Create hunting rule
File size:1'158'656 bytes
First seen:2021-12-17 16:29:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:mKc2qhLmIUUUUUUUi1Brz/z+AuSK3PL/K5MIlcfWk6jYpQRaXqRhIY3clPTUUUUD:9VqhSEZCDSK3D/AMISQeQMWWlPc1MGG
TLSH T11735088525AD3B25FD7853F800AA6C94C7BA7D6A717EC68D8CC330D72973F924850A1B
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214860/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61bcbb0f8541392eb4ec4e5f/reports/b8d9e2b1-19a8-435e-ba30-d1972b928e23/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7ab13c8-6dc8-42e2-a8cf-7543de31aca1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909219
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-17 16:30:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
74
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3gs7jipgq22yzz5p3cl2jgqnu6umhpxl6liuk2j2z4qvridkzkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mh43 rat spyware stealer trojan
Link:
https://tria.ge/reports/211217-tzs88sefeq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
9f5763966bacdc6de3944a6e06a49b05869c38f2e98b32cb93b483a480a6ffff
MD5 hash:
3418c620c4b9dd4533a88f1ba5ec3ff1
SHA1 hash:
12f6aaf1c90030c4063d42a27b2e7000a08b6e74
Link:
https://www.unpac.me/results/bc8d82d3-45a0-4189-aead-248def1d3049/
SH256 hash:
c79ee2a5d90c1bdbe6b94ba8847a49096a50cb239d0eff5fe4c3a803eb4ead2e
MD5 hash:
8d22389cb80c40a30a5df1689d3bf025
SHA1 hash:
615dda0b8f3f55a04c599decfb5d4babe9b578a6
Link:
https://www.unpac.me/results/bc8d82d3-45a0-4189-aead-248def1d3049/
SH256 hash:
3c0bf113aab4e4239b45a472a486551f73b31e8197fac4b03ae2d76a7a822ad7
MD5 hash:
559118ac624bf1006fe97434b4d539d7
SHA1 hash:
f79324d331e05be0a9f27eaf009ef51734966278
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc8d82d3-45a0-4189-aead-248def1d3049/
Parent samples :
d211ed2bfcc045537d4c74ad6e630cbc455a9ff1d76c51470962883398f3e2bf
6be874893cea5091522ea17e86689fbc000b283779e768760b74f05176ba7346
0e05f364eea6b843357ec8a4991d1dd52fdf847d2386799d62275742f7787d08
76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655
a97ce8a55897b2f476c343a3cb5234e94848cdb3a7a815bb1c31c48dfaf794b7
f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
6c0a4d3b03b1331dc9c31134c621f45bcd9bf6bc6818d61b3d7f455bf65b0b66
7d846402dd33a4b037c9744a03cccbbb99f36f955b18a7cf0052243556e1faa2
SH256 hash:
76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655
MD5 hash:
be7eaf17f2d57b727d2d0f3390626a7d
SHA1 hash:
327ab1c59d2effd8dba8a8f0c07bbe94b99d330f
Link:
https://www.unpac.me/results/bc8d82d3-45a0-4189-aead-248def1d3049/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214860/
  
URLhaus
https://urlhaus.abuse.ch/url/1893559/

Comments


Avatar
zbet commented on 2021-12-17 16:29:38 UTC

url : hxxp://paxz.tk/kellyseczx.exe