MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713
SHA3-384 hash: b868804ed8a2d57f24e12ec519f92b453dd1d9500e00fb2952e5ed6271cb826c459c3718c501a10d6ef21ce32d37249b
SHA1 hash: b5d843a5b1c1c0bc5ca9f74f05dc0c02ca651391
MD5 hash: 84abb4642cb383a894821636442f18b3
humanhash: grey-four-foxtrot-triple
File name:84abb4642cb383a894821636442f18b3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'141'248 bytes
First seen:2022-02-01 16:55:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:nJsjWqTU5+hbrTvTa0Ign6UZtY6ukX74Cni3AVOVkBGG:JM3TU5+hbr3rn6MY6ukJdGG
Threatray 12'997 similar samples on MalwareBazaar
TLSH T16D35E164B6A78542F40B8F355468B52002B2B4D369C7DE376F6836489FEEB8C2E4534F
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/229264/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f9662f18d1bfdde4e75ff8/reports/9b28d324-b1e7-4e68-ae45-cea5642bb0e8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/118dc679-a562-4936-814e-cde421f79402
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/931865
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 564343 Sample: IhA4ECpBbF.exe Startdate: 01/02/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 6 other signatures 2->42 10 IhA4ECpBbF.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\IhA4ECpBbF.exe.log, ASCII 10->30 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 IhA4ECpBbF.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 signatures9 34 Uses netstat to query active network connections and open ports 17->34 20 NETSTAT.EXE 17->20         started        process10 signatures11 44 Self deletion via cmd delete 20->44 46 Modifies the context of a thread in another process (thread injection) 20->46 48 Maps a DLL or memory area into another process 20->48 50 Tries to detect virtualization through RDTSC time measurements 20->50 23 explorer.exe 1 126 20->23         started        26 cmd.exe 1 20->26         started        process12 dnsIp13 32 192.168.2.1 unknown unknown 23->32 28 conhost.exe 26->28         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 16:42:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3090eb9593159bb7832f0d55b935396e585d8095b4c7c5f07922848a41a20d70
Formbook
3d4e25f876b2007b8b03a1d79109a52fcb5602644fb4554eb065f97853daa5de
Formbook
5fabf5c9fcceb520d7023eaf53122959f42bdb4b1c82bc916baa4bbb94f787ae
Formbook
96de11fc0f948fc3039f297475ba8abfcedaa7a9718634359286fe49156cd216
Formbook
a9ee744d7181c80db0ffbabf36933b815cf8b731ad6fb920393fb325cdfce9cc
Formbook
b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9
Formbook
c6cbe14f336bc97cc4bf2db682cc36efc1b371f6cc45509ee347c29348903676
Formbook
d67dff51d41111e44fe4dc61b5c741d7cae81e1397dbf55bdd3bd0dc144f342f
Formbook
eb267eb6493edaf0a9845917245f1cac006ed232ad0fca8969be3886009242af
Formbook
f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4
Formbook
+ 12'987 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220201-vfpblshfgk/
Unpacked files
SH256 hash:
5b80fb53b480e078e41121899351c3adb0fc2df45ecc166ac9b8c743c73f1e8e
MD5 hash:
fe66fdb20cca2723504be9a7f61a52f5
SHA1 hash:
c5ec9bd3c41236b1bd62bee8dbb2c75c26296e9b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/44a95564-5590-45c1-b477-1ca55b2b4f2b/
Parent samples :
5fabf5c9fcceb520d7023eaf53122959f42bdb4b1c82bc916baa4bbb94f787ae
0be852dc052384c403f96e94c0f681c8d4b2429dbb413f9abe896e39f5cb7285
8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713
9a0379b9363f704c49db190841ceb559ebed609d90f795df77ccf3b23765fa5d
SH256 hash:
3d0f4e39aa3a87bc0ae7e17852cae00e5367e4d168e313f3c24ac3c25be653fc
MD5 hash:
66bf22314a14d003ecd216265058e0aa
SHA1 hash:
bb57f39995d2cb4dc3a3f4a80b985d842edd9731
Link:
https://www.unpac.me/results/44a95564-5590-45c1-b477-1ca55b2b4f2b/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/44a95564-5590-45c1-b477-1ca55b2b4f2b/
SH256 hash:
8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713
MD5 hash:
84abb4642cb383a894821636442f18b3
SHA1 hash:
b5d843a5b1c1c0bc5ca9f74f05dc0c02ca651391
Link:
https://www.unpac.me/results/44a95564-5590-45c1-b477-1ca55b2b4f2b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8da8ab779916/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8da8ab7799160b2a841085ed3d908c91c45eb87a10717f088fb4a72a93a07713

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2009378/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/229264/

Comments