MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57
SHA3-384 hash: c4ba7d7d3161c672a1ac26afee98add2039692ff3fc374d94d48ac49dd08678c59bc711a36e2064cc983af51d65d5c13
SHA1 hash: c202f6acfc772aab6afb9ddd017145a48dcc08df
MD5 hash: 6773c374e46b1729cff1b6d4dd7696d8
humanhash: eighteen-ack-avocado-single
File name:20394403939209394.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:246'272 bytes
First seen:2022-06-11 03:17:40 UTC
Last seen:2022-06-11 03:33:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:zgxcQCkYLnzC+6Eyl43fk08aFFU+uahp5p:8VYLmpB43F375z5p
Threatray 14'387 similar samples on MalwareBazaar
TLSH T10F34F19E7B8F9F63D1AC05BE80E332550374C426824BF30BAACA45A51C5B7DF6662D43
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ead26acac2a2aad8 (2 x AgentTesla, 1 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
388
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
20394403939209394.exe
Verdict:
Malicious activity
Analysis date:
2022-06-11 03:19:25 UTC
Tags:
formbook trojan stealer phishing
Link:
https://app.any.run/tasks/b4b41031-d952-4ddb-8885-a258dede914d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278843/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.10.10420.18709.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated packed phishing
Link:
https://www.filescan.io/uploads/62a4097a73b91c38f67fd91c/reports/05760f28-246f-485c-aa6d-22567a0d76f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0231939d-5fb7-4553-a4c5-3ec271b886ea
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1011231
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-11 01:06:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rncgcwwnj7mjeq5j5qv5r2xo6hat5ld3fajwq5gqeyknrr7grjlq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0faec73ed1db547543f60583c935b57a60318f8f7e8c37da4686ac3de098309d
Formbook
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
Formbook
67db5982545c91192a7c4fcaa3cbe5324de3e69faa1af275b05926d80eda889d
Formbook
7b5672bb126b9c9360ca6373b75fbc00af40888c20d40391f55bb239a786b934
Formbook
8a7f3b43db0c90726177dc2825f23869cb9c73da6dcd1497141b56fac54635cf
Formbook
8e4ca12811ae20874923d590e85c6e0a4c591fa3dfe754cce7c47433b713b9c8
Formbook
cee7405ff87829bb8a24223967a1e8f6a26d3960d5b63d1145d77bffaad1bc5d
Formbook
+ 14'377 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m56u rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220611-dtln7saddm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
7ff037f525d6d0dd25c1c78529dd5da8c0e847f1d234d34911de2e88015386e0
MD5 hash:
a1e77401be14590790a9523f9c71f522
SHA1 hash:
07c90c592b106c9a1adcc4d205da072bc4ff0a9c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c205909a-c303-423f-bf7a-2702d33cb0a3/
Parent samples :
8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57
85a10f9329744d8c7ed58797d3a38beea00541b6fd45a51fe1e6887d4caf411f
8a3206a8bbf5056d7cb774be843c2a067aa8643e44c58c63e3e9cb65ce0f3fc4
2620668118d8ade45d0de6c49ea4c2af6213ff0e7d0b312b8ce8e080eba6c32b
b2834803a56b0fcfa98844491234dff7ffb74afd7e3adf821446f8c18955b585
7952c76d1d86927893a2ef8ca0a23bb1b45af38565f2ad9cea09a942bd5059f8
712d9e2373914cd9231c6c55a5d919efa6df53194b2c06b03695501dde071760
696ea6f69112d4d80b34a8dc589c16db71217fc6aa75567cb081bd02c56612b2
SH256 hash:
2cd63a6be4208529c71ebf0be88481d14c97fd37af9891e6aac4c9174024d0b2
MD5 hash:
d0b6adf67bc604c4b94c88429d6f36f3
SHA1 hash:
1583903225a3a1b963909513811df81294ca6ec0
Link:
https://www.unpac.me/results/c205909a-c303-423f-bf7a-2702d33cb0a3/
SH256 hash:
8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57
MD5 hash:
6773c374e46b1729cff1b6d4dd7696d8
SHA1 hash:
c202f6acfc772aab6afb9ddd017145a48dcc08df
Link:
https://www.unpac.me/results/c205909a-c303-423f-bf7a-2702d33cb0a3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b44615acd4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Saudi_Phish_Trojan
Create hunting rule
Author:Florian Roth
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA
Rule name:Saudi_Phish_Trojan_RID2E2F
Create hunting rule
Author:Florian Roth
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8b44615acd4fd89243a9ec2bd8eaeef1c13eac7b28136874d02614d8c7e68a57

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/278843/

Comments