MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466
SHA3-384 hash:	dd55755325c5fccc397e8d0d4f5e2f0b28fb0cadedfed14e6ac2e447d454d10419f4b038fc50b848a87bdbeba5342089
SHA1 hash:	fe7079f5b3d214e154c79e309268c24f2d36f671
MD5 hash:	19fd1d75fa84cbb9682875119bfdd285
humanhash:	glucose-fish-nineteen-massachusetts
File name:	PI-ZER-20221907.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	536'064 bytes
First seen:	2022-07-19 11:08:20 UTC
Last seen:	2022-07-19 12:05:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:d97KIZfdIzRvPdMpMRA17eiYA/rtth6+:XOsVIN1MpM27/rtr6+
TLSH	T17EB4BD362E379414FEFDC238BCD0B39042247ABEACD91F86E544B6CA31B72D456705A6
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	66c29abaaaaaaa86 (20 x AgentTesla, 10 x Formbook, 7 x SnakeKeylogger)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/291849/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.26401.27928.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a file

Searching for synchronization primitives

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d6910eb1b58ed7a171ef52/reports/0afab716-0d43-40fd-b644-7ecb9ebd286c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ea962dd4-05bf-4134-860a-15640d369313

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1036451

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-19 10:21:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qlw6xvz3nm3gciom7gygn4ne2fak5vjhz2ifrbtp3x5bw74iirta._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:mh76 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220719-m84yrsbfg2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Formbook payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

7a51903ae0e79eed1bfa29e36ea357d2ee255dec218016e91c5e287b55ae58e4

MD5 hash:

dd063f1b073b45bc3a4fe25c5a859eeb

SHA1 hash:

b2ea62711693c89ac6376c2075f951de302a779e

Detections:

win_formbook_g0

win_formbook_auto

FormBook

Link:

https://www.unpac.me/results/40612687-47b8-4288-b48f-74c98c466637/

Parent samples :

76381a94a940a4d2b7f4ecf9ab6e507eb1ab9dfb1deb27ef852b632ed069865e
b185a143f0152879be32508681282a6bf45d12f0d4d9525ac95f026990d82c87
24ef19db63cfcc0cebad5f54758de38284812b707ed53e9f404be03780451d39
d675408e7dcc87922c9d654a5c4f387f70d4a06ad99bad187753d90ee6381a87
1c6a3fdbe07eca91bb067a9ba1c90bd87df0d94a0f8c9d870c792baa4a040c45
1d040cec4469439a6c402ec04abf157a02b202fe4ddafe280d96b937b7eadce4
75563869f37196a473d163e40a4f393ba74b4c5feac4e178c83f670da5dd2762
25c9de9dfbbf115f5809dbbf9e246bebfa8b1925e99f070fa6233ad62ee22b9e
165f7a262d388cf63fc7f360cd1e2f1b7a6370586c8cbfce04e458800aca1d7a
bdb2cd093592b1e41acbf2e35565f0639628b86da36b1e6d49dcf1f81b751832
c767db1d9bb5f369f3a2d395412c98f71de29cf829800a2494a2c0dec8e4a57f
78c8c0aa6b6c7368ce2e9a6edb76db71162d7335c6da4f8489b276cd742f768b
a328bc2d66baa94dc748b1a450a0ede9601ff9ccec5ff2cfd043e669383ba295
43aaf13fbc49a0763cc55dfdf174892b76cc0b74a8698886d9376a4954e00818
a1eb3ccf50d23e3e49d659d55ca85c70d02e9c22a16b6e9f5270793a8487aa27
2d1a6fc2908bac0f7870588ab6f35467ea691f17ba2cb130b62fae506d630046
84b0888a5a6938795c26a681435c52a25c16fe2d1e6230112df171024c8767df
419127a78f8b1a361cab37011662b2ce411af7f4ad59d0f35ce5ca98eca1b92a
22f45817bd8b33de74fe1cc7db5569bd6af759b8fa1bd632ec37d4c7c822cfe1
ec77a02fcb9c5b393ed013b267010cf06e75550e8d977cb054d8e3fe681d8e6b
20abbef0a386be20828344f159293e55cfcf89942c3b26c21acc7b052fbe896d
6de2ff8d01687f6c88e2bc2c19407be670e1ece621227503eacac934739e67c7
82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466
3702b6cfa76e492d56bd9da5f99f7ff805e32c16b3840ee66bb13a812f5d3155
8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
b3a3645cf2d804bebd0d8049b70c95ae545ff06ca2acc9f85721a1d1f3c9b5b8
aa9c86a823e654e20b42edc829a890f08b0ffffaaa4054ca0033e0b4fae5765b
87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4
3f4e8eda03283329f391e111c756f7b6ece4a9bc0d41672af8c1f09baf2b1cec
b4be0d5867f091bff8f48d03dfdde04ff2e4189170c4168745568a1b20ed1c9a
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901

SH256 hash:

233e3e02b1db1ebed4465d121be92908a887b5345af0d54a26f848044832674c

MD5 hash:

17631c6e41b5d261541214c82926d67c

SHA1 hash:

073b0e5b439afb7f270f18baf936c603dd8a8e10

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/40612687-47b8-4288-b48f-74c98c466637/

SH256 hash:

9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

MD5 hash:

9fbb8cec55b2115c00c0ba386c37ce62

SHA1 hash:

e2378a1c22c35e40fd1c3e19066de4e33b50f24a

Link:

https://www.unpac.me/results/40612687-47b8-4288-b48f-74c98c466637/

SH256 hash:

fd0a9065b9a31caa036b50711480664946877858c06ce87547261cea4f722236

MD5 hash:

1a39eb13cb62365f983ff365676b4b3c

SHA1 hash:

b90973c08d4258529dd3b721aa80e5f9a361ec8c

Link:

https://www.unpac.me/results/40612687-47b8-4288-b48f-74c98c466637/

SH256 hash:

9bb98d4d25770f8c4f37fdc710b8f5b524b991dcf83fa6479e42c578331f614a

MD5 hash:

3f2033893b85e52f99f6c9bf422a46bb

SHA1 hash:

8cea75aff82e97e9d322ea5ad6b6976db10d700d

Link:

https://www.unpac.me/results/40612687-47b8-4288-b48f-74c98c466637/

SH256 hash:

82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466

MD5 hash:

19fd1d75fa84cbb9682875119bfdd285

SHA1 hash:

fe7079f5b3d214e154c79e309268c24f2d36f671

Link:

https://www.unpac.me/results/40612687-47b8-4288-b48f-74c98c466637/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/82edebd73b6b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/291849/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample