MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0
SHA3-384 hash: 6a52ef5b43cfdfe22570687be945f735f03dd5d42e572ea88db066761f87e576fb9caec28c173fecda25364f115ee89a
SHA1 hash: d7707e6f4eb36879f37f4f465bebadd7155335c5
MD5 hash: 9b3b2664392343501c64b8bf768331ad
humanhash: lithium-diet-steak-mike
File name:Kn7vI9IYMc3QOV4.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:715'264 bytes
First seen:2022-05-25 09:20:57 UTC
Last seen:2022-05-25 09:49:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:hGZFF2PzeVSBIe/ByUhNmMGDq8gQyGF9nxQY3lhzSqNP966GrAGQ8s7KFqkxM:nKubJ1hkbDq8gQyG31Au4rAfKFq
Threatray 15'949 similar samples on MalwareBazaar
TLSH T1E8E4E09D326072DFC877C976C9A81C60AA61746B931BD207E017159EAE4DAE7CF201F3
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter KdssSupport
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Kn7vI9IYMc3QOV4.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 09:14:30 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/922206a9-570d-4d0c-8481-438580283f78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274452/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Searching for the window
Creating a window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628df4ff0be8a16da4ea69d8/reports/fe74254c-d014-411a-9fd3-932b5d3cc98a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa274f7c-9821-4c4b-8c87-3a22af151f8e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001424
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633933 Sample: Kn7vI9IYMc3QOV4.dll Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 43 yellowhead.vote 2->43 45 www.yellowhead.vote 2->45 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 8 other signatures 2->59 11 Kn7vI9IYMc3QOV4.exe 3 2->11         started        signatures3 process4 file5 41 C:\Users\user\...\Kn7vI9IYMc3QOV4.exe.log, ASCII 11->41 dropped 77 Tries to detect virtualization through RDTSC time measurements 11->77 15 Kn7vI9IYMc3QOV4.exe 11->15         started        signatures6 process7 signatures8 81 Modifies the context of a thread in another process (thread injection) 15->81 83 Maps a DLL or memory area into another process 15->83 85 Sample uses process hollowing technique 15->85 87 Queues an APC in another process (thread injection) 15->87 18 explorer.exe 1 6 15->18 injected process9 dnsIp10 47 www.thorrmetals.com 43.241.37.192, 49703, 80 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 18->47 49 www.reachaware.space 185.68.16.61, 49708, 49709, 49710 UKRAINE-ASUA Ukraine 18->49 51 17 other IPs or domains 18->51 39 C:\Users\user\AppData\Local\...\vgau6_duf.exe, PE32 18->39 dropped 61 System process connects to network (likely due to code injection or exploit) 18->61 63 Benign windows process drops PE files 18->63 65 Performs DNS queries to domains with low reputation 18->65 23 rundll32.exe 1 12 18->23         started        26 vgau6_duf.exe 3 18->26         started        file11 signatures12 process13 signatures14 67 Tries to steal Mail credentials (via file / registry access) 23->67 69 Self deletion via cmd delete 23->69 71 Tries to harvest and steal browser information (history, passwords, etc) 23->71 75 3 other signatures 23->75 28 cmd.exe 2 23->28         started        31 cmd.exe 1 23->31         started        73 Injects a PE file into a foreign processes 26->73 33 vgau6_duf.exe 26->33         started        process15 signatures16 79 Tries to harvest and steal browser information (history, passwords, etc) 28->79 35 conhost.exe 28->35         started        37 conhost.exe 31->37         started        process17
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 07:31:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 41 (56.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhg7c5r2j2ceqiirpxyoapiui7wjkh5d2ujokm2wygxvyguwwlia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01271534c6ea0137c8b7e38b66b13f34272d3196fd8e0926c2d24b3a7c4547fc
Formbook
33eff767b99def77e4d5ca2586a16b3e573b38b675d03dad841761093f067227
Formbook
3bdf54d6b07a96a026ed34f1db8d5cc442c1a211d02ff888659d7263ccc77c4c
Formbook
4a03cbfeb260c4c92a31e3c5e9d2ef539122ee9b7dc087a9d4db6073959de557
Formbook
6b19bf1ec55b55f38c00c74fd66dd45c8d7e12eebebca913c4d21152ed0ced8c
Formbook
b4e446102081c3dda96a91145270f8a13ce318b708bea3921bc286e4c6fcc2a2
Formbook
cc715fcd2300c306a1254671a3119516a60d0662b5776a690e0c2b451f868d34
Formbook
d951d78db324f840c3dd3233c7900a8193329d769550cbf1c8857d5ef3fb5252
Formbook
ff47ef125994c6d17fac2dbd14e98b1ce62b63233bf2ae5167a59a1e6ce848d1
Formbook
+ 15'939 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:zu08 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220525-lbbqaaheh8/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
999f56bcf47a52e9532d726f8591c22bbf92377a9c771e07b3698078ac178bce
MD5 hash:
a8956c5a544bc95926729cc2a7b6d887
SHA1 hash:
fcdd94ffc7f88d47f1154f7347de24bf5642003e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5abb17b4-45f2-4595-a8ce-c3f893c5dafb/
Parent samples :
3c527de135d22c07a5d30fa7b77508aba40953749118d516b4d148aa83e4e895
89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0
b3079271c72a5c63650370194d8ad28525c77fc82597c27814721f9e7353ce7f
a93c67d2ae1acd50d6d898346aef23fb611bc48ec65424c71d59a309beda6007
decd4856d8e7fd3697f2d31c429a87bb46ffd0a8036707ebc1c59de447f36525
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/5abb17b4-45f2-4595-a8ce-c3f893c5dafb/
SH256 hash:
e85b5edea1925d8a36f93e1a7421d1bdd19d3a7a31640dc5c5fffaccff0b3ff2
MD5 hash:
3d44a072b8c42659dbac04060f1ca437
SHA1 hash:
a1d449f3a7254b08e86c82387ca8fd911fc51cd4
Link:
https://www.unpac.me/results/5abb17b4-45f2-4595-a8ce-c3f893c5dafb/
SH256 hash:
cbf2d800632585fa6d45c56f33c5c329fbe19a6b5f92e440d8a09020a4e6439c
MD5 hash:
9f2602b03c2c1da557c5b280b88f34be
SHA1 hash:
580f36bee5b951089f5cdecc6cb549747146ea8b
Link:
https://www.unpac.me/results/5abb17b4-45f2-4595-a8ce-c3f893c5dafb/
SH256 hash:
d9ce24114b1994cf421a18ff209a4ba47e2a33015d3e269ad90fbb9f89a88588
MD5 hash:
a0f3bdbb96e4d805cd71ba4c2591a845
SHA1 hash:
3ccca85a5a3dd2a6d1705541aa6526e0c6593d5f
Link:
https://www.unpac.me/results/5abb17b4-45f2-4595-a8ce-c3f893c5dafb/
SH256 hash:
89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0
MD5 hash:
9b3b2664392343501c64b8bf768331ad
SHA1 hash:
d7707e6f4eb36879f37f4f465bebadd7155335c5
Link:
https://www.unpac.me/results/5abb17b4-45f2-4595-a8ce-c3f893c5dafb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89cdf1763a4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/89cdf1763a4e844821117df0e03d1447ec951fa3d512e53356c1af5c1a96b2d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274452/

Comments