MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718
SHA3-384 hash: fc38298c38b316c3e3f1b93ffb2048b422489690112b8dd57f45bd2c9f3f27f9e5cc26e4d52f5634e25f1a591ca6db33
SHA1 hash: d0dcfe62e1999222c7cba44cccd26d822aa277b0
MD5 hash: 56aa58132cd5b1d7123587ed0b473033
humanhash: blue-queen-lithium-fanta
File name:56aa58132cd5b1d7123587ed0b473033
Download: download sample
Signature Formbook
Create hunting rule
File size:742'912 bytes
First seen:2022-01-06 18:46:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:i8iohEeBMOmTFH4eqh5u5Wbq3dk9VX9SbACapYQI83Ymre9Sg:i8iKkJTFH4e0u5W+3dk9VXCAVpL33Pr4
Threatray 12'627 similar samples on MalwareBazaar
TLSH T19FF4CF2127E49528D06F537EE1A7805483F4F626AA87EB5D6EC4A0FC2C73B21CD513A7
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CAIR000475577.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-06 18:20:05 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/70794ef2-0f34-4c14-9130-267410be4cd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217596/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38461472.22254.24353.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61d738f41c0d769df9d3a21e/reports/4c941541-0ddc-40bf-a024-046c21ea54db/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d90bbc3-8be1-4b89-aaf2-a99f48c9e83c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/916454
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 548932 Sample: FRq3x1ddl5 Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 34 www.newenglandluxury.com 2->34 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 5 other signatures 2->44 11 FRq3x1ddl5.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\FRq3x1ddl5.exe.log, ASCII 11->32 dropped 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Injects a PE file into a foreign processes 11->56 15 FRq3x1ddl5.exe 11->15         started        signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 15->58 60 Maps a DLL or memory area into another process 15->60 62 Sample uses process hollowing technique 15->62 64 Queues an APC in another process (thread injection) 15->64 18 explorer.exe 15->18 injected process9 process10 20 wlanext.exe 18->20         started        signatures11 46 Self deletion via cmd delete 20->46 48 Modifies the context of a thread in another process (thread injection) 20->48 50 Maps a DLL or memory area into another process 20->50 52 Tries to detect virtualization through RDTSC time measurements 20->52 23 explorer.exe 1 141 20->23         started        26 cmd.exe 1 20->26         started        28 explorer.exe 1 147 20->28         started        process12 dnsIp13 36 192.168.2.1 unknown unknown 23->36 30 conhost.exe 26->30         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 18:47:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14642e431716be5f43044de68f915037e0358a401f59e490f5370cc5563a1a23
Formbook
207b6109319a9405ea9d3a379332b73c67e99a649029654f73e2a61acfb84f03
Formbook
2b61cfb00cc8a45fdae91c176c8e68be4ac7cefbe0fab5781e5fa44d2ec4ca9f
Formbook
6a7753dba591a0f953c07a4e13ef1682c3839bcc380545a647da6e24bef41786
Formbook
721c03c3cc73dddfcf27e473fc9d1962dd59b3cc7f7b70cdc17d2d6a049aed8e
Formbook
8f0a372287ebba19a62630d683fc3292df06a10faeaed2ac68cde0c5b2374844
Formbook
9b9e383f7635be680129b113ad1e827c61e2e2cf1ce7ccccd2f09b9a0a546494
Formbook
e2682ee08233df5afc90d9295165ffed0373e4f34278d99d5a30622c2577639b
Formbook
f13197aff6f530d9883aa1787cd57f4580c4c92bcaa5100f2641924c3e6867a5
Formbook
f383f40cc25197aa00a470f4b549f6da97293ebd87dd80b099d59d5fc7a2dab4
Formbook
+ 12'617 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a1m3 rat spyware stealer trojan
Link:
https://tria.ge/reports/220106-xend2abed5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
c88a5a9f1d1f452a735fd128d1b8781315236c21aef60dd3ca6d749e3863d4a0
MD5 hash:
cb5498afeb3287bcc08a84bff8c5e36b
SHA1 hash:
365b9cbdd07197b0d70b6e7b8fe8d7cc74b66be4
Link:
https://www.unpac.me/results/10a2ecb4-a700-4205-87d5-7d8e9634cd3d/
SH256 hash:
0648ef7cca995ebdfd5a5be719688f4e44a88e8d00dfeff37c20498d6da9229d
MD5 hash:
6472f1c8477e0626dcca7282c136b247
SHA1 hash:
7d9c10c19094372ea03c91f3bee41cceb13dc9db
Link:
https://www.unpac.me/results/10a2ecb4-a700-4205-87d5-7d8e9634cd3d/
SH256 hash:
3395ae547828ab55992804fa39edb1a44663c27ddafe62f4d4a344d052728310
MD5 hash:
513e09b6842187a1980b8890bcaaf0e7
SHA1 hash:
9627fbe7f7e409536690f080ca8530bf607861f3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/10a2ecb4-a700-4205-87d5-7d8e9634cd3d/
Parent samples :
86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718
9c22dcb8cc69a424918d06ac9e057015dc5993827fb30f5c4a80f05307f0d024
SH256 hash:
86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718
MD5 hash:
56aa58132cd5b1d7123587ed0b473033
SHA1 hash:
d0dcfe62e1999222c7cba44cccd26d822aa277b0
Link:
https://www.unpac.me/results/10a2ecb4-a700-4205-87d5-7d8e9634cd3d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/86d9f290badc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 86d9f290badc30732592c1af4705f3dedb1516cf25a4ec01a44b64fad834c718

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1953575/
Cape
Cape
https://www.capesandbox.com/analysis/217596/

Comments


Avatar
zbet commented on 2022-01-06 18:46:09 UTC

url : hxxp://192.3.22.18/zaga/vbc.exe