MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7
SHA3-384 hash: 54783a502ac9c2c86d6e1643c58b78c2cb00b2ffe3aa7d49346b42ff82cf8834c9cdbc275ad926cd874fb4b1a36f0a76
SHA1 hash: 50562d1ed8484b631397db5f37077e67ddfa60e1
MD5 hash: d947d670aefcb65eed9e9191bb6659b7
humanhash: purple-carolina-chicken-indigo
File name:MR# RFx 21-2034021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'110'016 bytes
First seen:2021-07-29 06:11:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:mtplhqy45/dp7aK64MEmM4KEadMBRkDGzwP6x:mWaK64hmM4K6iL6
Threatray 6'946 similar samples on MalwareBazaar
TLSH T1AC359D21B6C4CA2AE1AF83368EDE60144BFCFB523672E768BDE133B54909B51D4741C9
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MR# RFx 21-2034021.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 06:13:32 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/099eaa14-abc0-40e0-abcb-0c01edc2f129

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174870/
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67d247cb-45e3-4a50-996c-a4b5655102b9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823570
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455982 Sample: MR# RFx 21-2034021.exe Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 6 other signatures 2->43 10 MR# RFx 21-2034021.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\MR# RFx 21-2034021.exe.log, ASCII 10->27 dropped 13 MR# RFx 21-2034021.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.fusosstore.com 172.67.186.32, 49732, 80 CLOUDFLARENETUS United States 16->29 31 shops.myshopify.com 23.227.38.74, 49731, 80 CLOUDFLARENETUS Canada 16->31 33 2 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 wscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Gathering data
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 03:49:29 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p47jpzbdngtwxztirxbj7zy3qoyhkswmpxyiuystiyhchwt5dttq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
Formbook
644b959318e7825454d8cdd4af75ddeb489c94a7754da360d4cd155bccc3a669
Formbook
96beadd4f79febff926c6b5071aad39d09f0a1c9d9810317d38d7ed95ce1559a
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
a3caa0df0bdb2bf954c259a2421958b79c61c5a2dfdefcfbf62b58129f66a56f
Formbook
c59d79d86f4d301a0d7c94df257fb8ab803bc69517bc6642e5d6ad4410a7a8bb
Formbook
d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f
Formbook
+ 6'936 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210729-mpxgmvt9ee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
CustAttr .NET packer
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.nouolive.com/wt5i/
Unpacked files
SH256 hash:
b631cbec8797356a20c9cc7fefe132f40eb822309fa77d5b293e79eb39a3cfa8
MD5 hash:
afe3532e924ae2ca6e39dac05e8ef1c6
SHA1 hash:
953d10b9554315b957cb76a60a2eb207f43cdb7e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6d808bb-80f4-49d9-9d13-93f0337281b9/
Parent samples :
24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
c59d79d86f4d301a0d7c94df257fb8ab803bc69517bc6642e5d6ad4410a7a8bb
7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7
30c70e6852155344b71c74dc919b365847a12ef299cda58501051f706e7bbbf4
1f9b5c120efbd32491158582492dc17322b805c955626fbe43f2136a77b1812a
4b1dcf9d1e2518e912abcee672aadcaed51f1aa435e3dc1b3fb43d047ec24f1e
SH256 hash:
8fa7633a8d48371685ef3e1dac7fcbccceae25cb7ac6080de2a2f456c2619f17
MD5 hash:
c9b92629f72304660adf053b6c85084d
SHA1 hash:
c3f208326e1122072ef8fa72967822d3f2b2d772
Link:
https://www.unpac.me/results/b6d808bb-80f4-49d9-9d13-93f0337281b9/
SH256 hash:
5bfe7756497be02131ce10841634e999b43fac10b7eda4a0fdbbeb92340b76ef
MD5 hash:
c1bbe777210d5f06340c6ce6ea987608
SHA1 hash:
5825d0a67deedd454620fcad837d52237f503885
Link:
https://www.unpac.me/results/b6d808bb-80f4-49d9-9d13-93f0337281b9/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/b6d808bb-80f4-49d9-9d13-93f0337281b9/
SH256 hash:
7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7
MD5 hash:
d947d670aefcb65eed9e9191bb6659b7
SHA1 hash:
50562d1ed8484b631397db5f37077e67ddfa60e1
Link:
https://www.unpac.me/results/b6d808bb-80f4-49d9-9d13-93f0337281b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/174870/

Comments