MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1
SHA3-384 hash: 861eb718bb9c2937946841b922f6edca28d041b4a592582859c681e06be0fb869d7d3321407b061e63cd53fbbf0b5ef8
SHA1 hash: 47be991ca9e053ca63b4b1a5038cd00ab316525b
MD5 hash: f4c5e8943e65fc4e7e8a8fc4ec83f90e
humanhash: pizza-jupiter-sad-delta
File name:SecuriteInfo.com.Variant.Bulz.151977.7176.23903
Download: download sample
Signature Formbook
Create hunting rule
File size:468'992 bytes
First seen:2020-10-25 10:44:30 UTC
Last seen:2020-10-25 13:27:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sdw/z24UN2687P7aNVvg+y1MhZEmvWN6UjFdV1:sOa4467GNgiE3jFB
Threatray 2'694 similar samples on MalwareBazaar
TLSH 3DA4C0727D92587ECAAB0775116985C1FAB626C73FA08B0D716F430C1E10B6BEB1325B
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75681/
Detection(s):
SecuriteInfo.com.Variant.Bulz.151977.7176.23903.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/509513
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303794 Sample: SecuriteInfo.com.Variant.Bu... Startdate: 25/10/2020 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected FormBook 2->36 38 4 other signatures 2->38 10 SecuriteInfo.com.Variant.Bulz.151977.7176.exe 8 2->10         started        process3 file4 26 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 10->26 dropped 28 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 10->30 dropped 46 Writes to foreign memory regions 10->46 48 Allocates memory in foreign processes 10->48 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 AddInProcess32.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Tries to detect virtualization through RDTSC time measurements 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 process9 19 WWAHost.exe 17->19         started        signatures10 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 07:12:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0de7b2b7c4e9974b9343de9666287a7137614cbcffc5f89932601b503712002a
Formbook
23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5
Formbook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
353e4fd91fe618f5c22c9cae00e7575e9b1914576ff7e332d03ca3e9f7dbbbbc
Formbook
4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9
Formbook
6612e640d15ed26414fc5c288b9bb7050db90517febb11d4b5145fb8d84441b9
Formbook
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
Formbook
cddef48cbafa5561f43fd788cfc08215af2c8c4d700bbad363c467e60ad0eda1
Formbook
cedead5dd0528f69da0617580afc0bcb6dd52eb05ad35dc2f24ec45179851e62
Formbook
d5b7a34c6294b2505366e81e4bcaa48943ddc338a1f78ae8f990e3dcf413182a
Formbook
+ 2'684 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/201025-hhtzhbkfza/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Adds policy Run key to start application
Formbook Payload
Formbook
Unpacked files
SH256 hash:
8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1
MD5 hash:
f4c5e8943e65fc4e7e8a8fc4ec83f90e
SHA1 hash:
47be991ca9e053ca63b4b1a5038cd00ab316525b
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
9705f6856a88e616cfd1885bdf2d4938db2abe04d78377bc892f8537a0b98559
MD5 hash:
b05e7b532443fc8b72d8315594f5135a
SHA1 hash:
e01dbdf3547d0348fb6cca031cd1df8a41964485
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
SH256 hash:
d80f9eb9dd6d3388802966ab437bb7329a84f462db3c550c2f8fe8d59ca14c4d
MD5 hash:
08a174ddb1d56c135a0b8146265808c8
SHA1 hash:
224c78e989f6cac6bcc2e9901ab5f4325d5f9be9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
Parent samples :
8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1
42fdf8ea94129772b3a3a9cb027ae40613d5aba9de2b6f32f801d00f1c5ccf44
SH256 hash:
856dff0c734a69a02257141bf49fa13180e960ca4f34dc5f7c30804f00c55975
MD5 hash:
0312e3671e9391a7549680b2b6fc3766
SHA1 hash:
4a4f1f5a14e8a239f32e85271b1f94143c5c41f6
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
SH256 hash:
49648284f0ef87467035168875bcf6a60088383881f4c47caadedccb11c02a07
MD5 hash:
6158291b60d0e78650751ad6d46dd7b3
SHA1 hash:
7f91128ae1b4c5d3920e3cac68376a8630325595
Link:
https://www.unpac.me/results/c6ddd728-a186-47bb-96f7-149949d72ca8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8758f458706398482da8fd640966abb634405b6f580802ac83077117a9fc64e1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/75681/
  
URLhaus
https://urlhaus.abuse.ch/url/746769/
  
Delivery method
Distributed via web download

Comments