MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c
SHA3-384 hash: a411ce458dc9f304febc332f881d50314d672b8dfdffd108f4aaeeb8bdffecc2eecde9ae60cbb54a52d3421ed21f7287
SHA1 hash: 02b7b6075564632a4671ea51bf1a1a0a2bfc8200
MD5 hash: e26a74c3a4ed07700a690e1763ea18b8
humanhash: stairway-massachusetts-autumn-uranus
File name:e26a74c3a4ed07700a690e1763ea18b8.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:601'088 bytes
First seen:2021-10-11 18:43:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:5Tk6MFohvg6V6UqrlqBhJKCDrsh4UTfVARtWGdY+y8O4NyJO0R2BpFR4vpG6ph9M:9hv6UhhJtgTtycCVd0yWMKl/c9MnOg0
Threatray 10'266 similar samples on MalwareBazaar
TLSH T137D4B02039FA4169F273AF762EE1B2599F6FBEB22613941D1051734B0632A41CDF253B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER.doc
Verdict:
Malicious activity
Analysis date:
2021-10-11 11:32:06 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/1fd92289-12ea-414b-8bd8-327b1afa9d4c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196721/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25-2.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616485f69fb4d8593d61c19e/reports/9c427e4c-547e-4193-87a7-0607647d7a47/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/223f1807-970d-42ac-930d-5fa56b6f44ca
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867801
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500227 Sample: jK0AJMomii.exe Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 31 www.athletik.biz 2->31 33 athletik.biz 2->33 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 11 jK0AJMomii.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\jK0AJMomii.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 jK0AJMomii.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.tourmalinesepiapirole.info 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 47 Uses netstat to query active network connections and open ports 18->47 22 NETSTAT.EXE 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 14:01:54 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3gv7gkl4u7t6jhcwiayey5zvnmc5behb3unetzyy3irvwxdncga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22a5161a4d95e737100936f93042049719d13a8437d751c22ad485ed51ee7c96
Formbook
638394ba0aa51689488ddd944d4b358f02fde988c65842110bdc089e04e9f138
Formbook
680993e1220c8d918f192ae23c5c01b6357c58ad68b7cc59fa122c09b7b85cdd
Formbook
6bb763ffd1ca484344f2a02df3f9e6bddc18a0f1fcd5d58002ad16b82b36db90
Formbook
7162b4c9de1772aa721d26d185fd1b7e32a9de5c6ebfd86cab3ef0ed7561a837
Formbook
90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715
Formbook
972f5e016ffc306524d7083a5a5058ba8b5fc60f3db9f3c0915db59c0523a487
Formbook
a26563b8bb82e71f54068820dd88b7de84199111b66e33af94c09e2344d9db74
Formbook
c12bd972fbf3301e40fa75c3e295a8bd0233bf1f5fa100e79ab7f6755f7b6788
Formbook
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
Formbook
+ 10'256 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ed9s rat spyware stealer trojan
Link:
https://tria.ge/reports/211011-xdh3xshhd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.vaughnmethod.com/ed9s/
Unpacked files
SH256 hash:
74605ccb79176e2b2bd8795845f4c0dd5b9ff6a1344f3ff0bdb3ccdf9a17af56
MD5 hash:
eb9247aeab44b54422a0a0cc4adbe7c7
SHA1 hash:
2ff0478139920ab6dd4cf65530465f9fc702caa3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b4590409-0ea9-4c53-b663-c5c20af5e7f9/
Parent samples :
972f5e016ffc306524d7083a5a5058ba8b5fc60f3db9f3c0915db59c0523a487
9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3
46ce2096cf4b2b0a2dfa386e25baa17078c270a469ae6704e36611fb7c67f908
76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c
4a028b7f272dd96c75716d2268b551576a01ebccaca97bb19da43ec21dbe8514
f13197aff6f530d9883aa1787cd57f4580c4c92bcaa5100f2641924c3e6867a5
SH256 hash:
06643651f04d9aff699f8474b2eaba2bd728331179f717038436edd3964712c3
MD5 hash:
533f7d73b63c82adb33fe1fd80f223a5
SHA1 hash:
da8fba92e448498acfdeca28b198f5039784b837
Link:
https://www.unpac.me/results/b4590409-0ea9-4c53-b663-c5c20af5e7f9/
SH256 hash:
d434e7cb4105d7e760a39a1a8a1306338b00fbd6507025d53e4c44ede73d3788
MD5 hash:
6613b992e916924c3f38a179bb9866ab
SHA1 hash:
cd5741f4d0a4685c5fd9c9e2e708bbf33ec1691a
Link:
https://www.unpac.me/results/b4590409-0ea9-4c53-b663-c5c20af5e7f9/
SH256 hash:
76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c
MD5 hash:
e26a74c3a4ed07700a690e1763ea18b8
SHA1 hash:
02b7b6075564632a4671ea51bf1a1a0a2bfc8200
Link:
https://www.unpac.me/results/b4590409-0ea9-4c53-b663-c5c20af5e7f9/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/76cd5f994be5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 76cd5f994be53f3f24e2b2018263b9ab582e84870ee8d24f38c6d11adae3688c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1667253/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196721/

Comments