MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e
SHA3-384 hash: b2d2f543be3c2beb869eca03375f6577cfa862e124ed09e0047b3692166d735227725c125d68c481d46096a08d7ea865
SHA1 hash: 970a7c557a3a03ed961a7c80a23d921b497e9591
MD5 hash: 3b4282fd2c75ca33a6ffc10dc5ccd494
humanhash: river-blue-connecticut-bluebird
File name:scan_bank_transfer_09039838902982882.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:889'856 bytes
First seen:2021-08-31 05:23:52 UTC
Last seen:2021-09-05 05:40:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:MUDmUiAuNMwZmiFa6DzjLsb+CilQt6YNE:lDVX6X4VN+em
Threatray 8'636 similar samples on MalwareBazaar
TLSH T1B015D87E19FDA1E7C165C6B58FD3B527F0009B6E31106D206ED267164222A7AB0F336E
dhash icon b4ecccccd4c4ccc8 (8 x AgentTesla, 6 x Formbook, 2 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scan_bank_transfer_09039838902982882.bat
Verdict:
Suspicious activity
Analysis date:
2021-08-31 05:27:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f9c162e5-269f-447f-875e-b4740f14378e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183943/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/382b4db7-36bb-44d1-b5a7-a0b60fe8d1e1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842253
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 03:44:39 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrav6muaja56vw2knjddsiq5uoq2c3gcxv2ln7kijil62s4do5pa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36b5ddc5914b203b4213ad5cc15cc498ad16691d84fb239220331fc83503e76d
Formbook
37f6df44b9dd38408fe5682c6d660eceb04a2915b3420576afce05bf3076bc01
Formbook
3cb62c9b4ec92c70df9795f481ccb5b50fd4f260441c23edcaf97c23396bf502
Formbook
52ac8ef8454aa3c6b7ea0b3332ec4f88640d30d27e276133197c5d00c85d7252
Formbook
818b8b831f3c774e034e2794f1eae71f62f5388355916e948b472cfdac7f5508
Formbook
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Formbook
c1a40dbca9d28ac760447f501d812b82312be281ee699fdcc4a6a543077caa3d
Formbook
e3f49f0b8d0d27770f262483e2931ab3c5d7683d2d2e086e97e99b1100269589
Formbook
ed1c8e0943e3e4877bc1732debf2c109ebe42dd4f88023db3b85246f25906601
Formbook
+ 8'626 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:im8r rat spyware stealer trojan
Link:
https://tria.ge/reports/210831-vpt7z5wq2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.5201314.mobi/im8r/
Unpacked files
SH256 hash:
c32d28c6475b3b24cac8b0d3354394f483fe4274178a844edacba4d3d949771a
MD5 hash:
6870cef3364d1f55c265e632a7008005
SHA1 hash:
7e4dfbabd7ba8840c99060307888cec54d757ead
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9308f463-6bf0-438e-9b46-2d9e5736a925/
Parent samples :
8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e
1e16b93c04940c45684dbdae5dd754b56235c72f5816af3955400371db5ef11a
cdcf7dceec7c87b052fcab71f7cd3316b2eb1c61aac56cec27844bb679e84346
SH256 hash:
07d0fc2f1d38e4a46276caf4a3824769e839012e9b740e80a4c021f1d01722cc
MD5 hash:
d0378f76d908cac10f4f688ef801472e
SHA1 hash:
90b93d1108a1a27a55256eaba20bf80444121959
Link:
https://www.unpac.me/results/9308f463-6bf0-438e-9b46-2d9e5736a925/
SH256 hash:
81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c
MD5 hash:
bae511742374b721136acaa03b0c1fa0
SHA1 hash:
215c50455b01a78ea173bbb034ddbe4b452ea734
Link:
https://www.unpac.me/results/9308f463-6bf0-438e-9b46-2d9e5736a925/
SH256 hash:
8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e
MD5 hash:
3b4282fd2c75ca33a6ffc10dc5ccd494
SHA1 hash:
970a7c557a3a03ed961a7c80a23d921b497e9591
Link:
https://www.unpac.me/results/9308f463-6bf0-438e-9b46-2d9e5736a925/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8c415f3280483beadb4a6a4639221da3a1a16cc2bd74b6fd484a17ed4b83775e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/183943/

Comments