MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2
SHA3-384 hash: c1406993a60e34cdcb021cd9265cc667e45a2b0af336f146ea6975c5facd0dca5e95bc0c91e81f152c8e6db0ff589dc7
SHA1 hash: b26796f41c9d265995a608adc51d604d7cb47851
MD5 hash: 05c21bf3df38d5b8365db71d94dbca37
humanhash: saturn-seventeen-friend-pip
File name:05c21bf3df38d5b8365db71d94dbca37
Download: download sample
Signature Formbook
Create hunting rule
File size:577'536 bytes
First seen:2021-10-26 14:28:38 UTC
Last seen:2021-10-26 16:44:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 50fa96e8bee8392937d77d1999426e98 (1 x Formbook)
ssdeep 12288:ZgdncS3vl2J8aN/EYA3lxI51aU0xLNoSrdhBWaCBKzfgE9AdORCjdza:Zgdnc6l+8m/ER7I51aU0RKSrdjWaqKzB
Threatray 10'826 similar samples on MalwareBazaar
TLSH T19FC4CE52736ADAF6F69620B00D94EF3518A4A9F53F3F0483BBD25D0EC438A841776726
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200264/
Detection(s):
SecuriteInfo.com.Variant.Babar.26763.27699.7240.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar fareit formbook greyware keylogger packed
Link:
https://www.filescan.io/uploads/617810afa9d585e6d53944af/reports/f737660c-b8cb-4575-a8bd-f0a3e2eb1cff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60b24dd9-3980-496d-8fb2-b13f263ae4e0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877239
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 509676 Sample: ddSNSKZ7UJ Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 4 other signatures 2->43 10 ddSNSKZ7UJ.exe 1 2->10         started        process3 signatures4 53 Tries to detect virtualization through RDTSC time measurements 10->53 13 ddSNSKZ7UJ.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 27 connect.shopbase.com 185.223.154.30, 49842, 80 REDSERVICIOES Spain 16->27 29 www.printyourdays.com 104.21.48.190, 49873, 80 CLOUDFLARENETUS United States 16->29 31 8 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 35 Uses netstat to query active network connections and open ports 16->35 20 NETSTAT.EXE 16->20         started        signatures9 process10 signatures11 45 Self deletion via cmd delete 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 51 Tries to detect virtualization through RDTSC time measurements 20->51 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 04:06:11 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Formbook
26506e7d3f4821066fc1989a5c79afb4d1a316aa428f9e4a920644d93a80b495
Formbook
4bb96dffcc0b4cba1f4ee2ed04e32d724e486c88b0e8492b3e5efb1ec0928c0e
Formbook
73db754f5e709731e9c07c230fa6512ee75e07184c367e3f80b1bf646e7b72da
Formbook
87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e
Formbook
c18d5baf727358a8635a51fc7cfb4c3f4c90c78abcecf051feb4540323e98746
Formbook
d2aa010515bc8390084659013a1fd1e3e476e36ce46293281deb95c4469663f9
Formbook
fff77f3852a66a56bad4ec5bc1c1bc2afb0b08b8ea65393384a1ee6917dcb355
Formbook
+ 10'816 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/211026-rtkc2ahfg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
bd1c1900ac1a6c7a9f52034618fed74b93acbc33332890e7d738a1d90cbc2126
MD5 hash:
18c5bd51dc833a73288d137a9cee7349
SHA1 hash:
c3bf87e4cf4073bd1e252bb7928b48c49e9ac899
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb29c4ee-4bff-45dd-9f96-10b473f6f837/
Parent samples :
776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2
4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
38935c02661ece35d0287947cc94f02f5256389e1f47b43f701d01e67ef65d78
ce02bd114270b91b5f1b727ec890ab5e448f22f98e074e791b685d42968c88ca
3913a9784209fd5c73d1b4c31a77d8ba5ecd175c38cf7c1a1378951eee808f34
SH256 hash:
776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2
MD5 hash:
05c21bf3df38d5b8365db71d94dbca37
SHA1 hash:
b26796f41c9d265995a608adc51d604d7cb47851
Link:
https://www.unpac.me/results/cb29c4ee-4bff-45dd-9f96-10b473f6f837/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1715699/
Cape
Cape
https://www.capesandbox.com/analysis/200264/

Comments


Avatar
zbet commented on 2021-10-26 14:28:39 UTC

url : hxxp://104.244.78.177/abb01.exe