MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619
SHA3-384 hash: 56f181036a82e829c47f9d7abef9a9f0eab65e5700bdb6f9a3f37a7b6a7b1782c35da83a52993ea568019972fd0adafc
SHA1 hash: e65c471126339e5415518d896197bc17c6830a95
MD5 hash: 9fc8a2ba5be6233cd051a5cc29a5dec0
humanhash: enemy-minnesota-pizza-beryllium
File name:SHIPPING INVOICE DOCUMENTS.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:569'344 bytes
First seen:2022-02-03 09:10:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RK7p3d1JNYkmlS/aM1nJ+Jt7GRsBlkrhcYPX1J:S1JNse1ncJtiL9ck1J
TLSH T12EC4E1A1F69755D1F46F9A32217AB85102363EF3ADC6DA091324F2094BF33904F76A4B
File icon (PE):PE icon
dhash icon 1d19094a5b2f371e (26 x AgentTesla, 4 x NanoCore, 4 x DarkCloud)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fb9e368179d41ca5093462e9ad5d4c2
Verdict:
Malicious activity
Analysis date:
2022-02-03 12:32:08 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/841e61f7-3371-4831-b770-d0966f7cfd7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/231835/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2388ba3e-bef1-404b-90c7-f47fd82360ad
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933156
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 04:09:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phfudrosq226qbrkghpidket6iq2r2t3zcd2oqbqwoac3p23yymq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fi46 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220203-k5nfhaehaj/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook
Unpacked files
SH256 hash:
9f69e80be1c801708018ce3ec18439be39c75eafcc3bb7bdd22b179c9e8419b0
MD5 hash:
cf5a72ab2023890998e0345076f7c3ae
SHA1 hash:
5d1109ea28b9e2f84ac3206fbaaf4f6e95d6593a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f8d5b55c-052d-4c4f-8df7-4c1aaa857b34/
Parent samples :
79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619
8e910fbfbf759e992ecc19c25080e7b16db746df5f559d3ba3ae887b857c11eb
c48deffa7188f31de3b9347530cad3dee6b5f4a5afbe89c9e50629a6611bdec8
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/f8d5b55c-052d-4c4f-8df7-4c1aaa857b34/
SH256 hash:
9d338410b40a9de56c2ce7fbff30be38bb0b45475ecfacded5675d172b3b10a4
MD5 hash:
22157f4c0a08439ebef85cd7594ccdfc
SHA1 hash:
38e3826c1376520a728d309b0b526bb8a7b6d982
Link:
https://www.unpac.me/results/f8d5b55c-052d-4c4f-8df7-4c1aaa857b34/
SH256 hash:
79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619
MD5 hash:
9fc8a2ba5be6233cd051a5cc29a5dec0
SHA1 hash:
e65c471126339e5415518d896197bc17c6830a95
Link:
https://www.unpac.me/results/f8d5b55c-052d-4c4f-8df7-4c1aaa857b34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 79cb41c5d286b5e8062a31de81a893f221a8ea7bc887a74030b3802dbf5bc619

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/231835/

Comments