MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc
SHA3-384 hash: b9959ff7302aa6ed429a2672efb6801164b5077916feef9f08cd085a73ba102fd5cc4c0b3b7150a8f4ddaca3a6334f4b
SHA1 hash: 14d678245c246c030d4b85a30cb120b89862dda6
MD5 hash: cb23e5950fda16d9db27e9b1acc71945
humanhash: wisconsin-utah-colorado-magazine
File name:New Order.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:625'664 bytes
First seen:2021-08-19 11:17:37 UTC
Last seen:2021-08-19 12:01:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:0S2Xa3TC8rF26LNla6k26ihKtWhFFarBPqlyHTpPRxOUHmtqA7d3rdJSecTwFZre:oaO8rFhLNlLk26q9SPqGNP/qt97dh
Threatray 8'102 similar samples on MalwareBazaar
TLSH T1BBD48CAC325179DFC91BCD77CAA82C20AA606077530BD243A01316ED9A0DADBDF156F3
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 11:19:23 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/12b35df0-1112-4066-9973-0ec777934fa7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180665/
Detection(s):
SecuriteInfo.com.ArtemisCB23E5950FDA.18799.19244.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/287a31ae-5c70-4567-8cd4-4e2a9269097a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835739
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 03:17:43 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4gm2x2lvxc4vksbpcllhjtos64zj4cunurjs5l74yaqsxtomk6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
160cc59f612cb0eb2cea9d77eae72641725f33eebdaf06d431d8bf409410b883
Formbook
3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461
Formbook
404cb392a43ef6eb414b2378e75db13035576cbbfc3c0c43de0cae5f79290287
Formbook
41426800f6abacfe11baaa98f532e48b152971d90958016a943e8e0fb7967b9e
Formbook
533402c16a639ab11af6e3765d4c190f81c24f5fef39e65342a6201eaf971e1b
Formbook
744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc
Formbook
aaf51eb435ca7b4a2241a951e3e131d7e73fa9f7bab18ca026f9a4d080c9dc0d
Formbook
bdc84c917558fe1a4055309a8d6ad6d89d2cdf5a6741c218ace44f70489f9260
Formbook
df8b0772860e56938078f92e437d4c04ff34808f40837e249b85af1ffb4dee4b
Formbook
+ 8'092 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:i6sj rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210819-flfr9s2xbs/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.ggoldcollections.com/i6sj/
Unpacked files
SH256 hash:
4d339511b1a219aec4873bbf9760310c615baa787962a3b8291f857502c17642
MD5 hash:
9fefcd4d2a665a7dcff718230d71ee70
SHA1 hash:
11becb27dc0177f32085bfd0805c658946371f5c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9948ddd0-2342-4383-97b5-63bd0b13c330/
Parent samples :
93a6cb87273a83d5d43cc42d6c559eb812019ebb5176892c78cd260c550f59dd
41426800f6abacfe11baaa98f532e48b152971d90958016a943e8e0fb7967b9e
e53f5cf159f53775b3adcca1a82b98ae91a9c8dc74fbb0f376df20217cad6d83
404cb392a43ef6eb414b2378e75db13035576cbbfc3c0c43de0cae5f79290287
8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc
15b22917f8aedea05d375f54a9a43c993cc2b9feba48e0b7463befd411c2ba95
49e445c27ad9965ceee27ec81dca4f4abff58d18e9dfab55813cd192ecac8154
b1e8b717f08c3a36fad16cee07a422fa3370c52345ef9b360de10ca4855a1d47
aaf6381cad4b9e2bfb4cc865033d8bf4f7e53af1be0f851134d950256b691977
02c4b4dc1d1ee21b58cca2d0f5c2225bb1c3e5a238009394a8d32463b11b2b45
SH256 hash:
68580a4bfd26ca9492e451f7a0a14ac394913c6ce525badf4f4599d9b0447824
MD5 hash:
84ded4b2281e67eca57ecaca74d84f35
SHA1 hash:
968371cf1f13a7b5e3fea6790e68303fc4ec0c2e
Link:
https://www.unpac.me/results/9948ddd0-2342-4383-97b5-63bd0b13c330/
SH256 hash:
75a8a4178ad3fb923e18d21420a542775ea3539c1cab88f5d63a59f50cffb504
MD5 hash:
a6dcb6e5369cd798344ded6db40f5f65
SHA1 hash:
2680f5c6c39afdc8a9476303fcb7ee64075b669f
Link:
https://www.unpac.me/results/9948ddd0-2342-4383-97b5-63bd0b13c330/
SH256 hash:
8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc
MD5 hash:
cb23e5950fda16d9db27e9b1acc71945
SHA1 hash:
14d678245c246c030d4b85a30cb120b89862dda6
Link:
https://www.unpac.me/results/9948ddd0-2342-4383-97b5-63bd0b13c330/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 8f0ccd5f4badc5caaa417896b3a66e97b994f0546d2299757fe601095e6e62bc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180665/

Comments