MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fc52ab78b091873ee351be8fed2c5026d9fdae75ddfe910ea2b179843ca0c3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fc52ab78b091873ee351be8fed2c5026d9fdae75ddfe910ea2b179843ca0c3f
SHA3-384 hash: 9c59b7bf690006410bef8f664558a81220779e82286af919a847bff7fbbdf98b6f3e69ccc1deac277d0da39a0478bc2f
SHA1 hash: 3ea30ce676a15f8eeb3292af36203c909fb21117
MD5 hash: 4b645d82013cf24c3867952cd987bdcd
humanhash: emma-seventeen-purple-white
File name:4b645d82013cf24c3867952cd987bdcd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:488'960 bytes
First seen:2020-10-08 12:17:54 UTC
Last seen:2020-10-08 13:23:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:KMSi5Za+LXdkcmt21Ru6dT5WRYForDTfgE48GdwRr5AB81IMiM4ZxLK:KMSivlLmcmILdT5WCerHYCGWxMlMKZV
Threatray 179 similar samples on MalwareBazaar
TLSH 1DA49EB37952582ECD6A07710CB115F1F97702CD3FA78A1E729E530C4F14A0BAB5A26E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69193/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/485301
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295092 Sample: 4YleXo6EvG.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 96 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected FormBook 2->39 41 2 other signatures 2->41 7 4YleXo6EvG.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 27 C:\Users\user\jbsge.exe, PE32 7->27 dropped 29 C:\Users\user\jbsge.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\4YleXo6EvG.exe.log, ASCII 7->31 dropped 33 2 other files (none is malicious) 7->33 dropped 51 Drops PE files to the user root directory 7->51 53 Tries to detect virtualization through RDTSC time measurements 7->53 15 cmd.exe 1 7->15         started        17 jbsge.exe 2 7->17         started        19 jbsge.exe 3 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        43 Multi AV Scanner detection for dropped file 19->43 45 Machine Learning detection for dropped file 19->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 process8 signatures9 49 Creates an autostart registry key pointing to binary in C:\Windows 22->49
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8fc52ab78b091873ee351be8fed2c5026d9fdae75ddfe910ea2b179843ca0c3f/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 10:14:26 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7csvn4lbemhh3rvdpup5uwfajwz7wxhlxp6sehkfmlzqq6kbq7q._file
Verdict:
suspicious
Similar samples:
717dfc26ac3594b79b3f5d4977bfbf8b56751422dc3dc464adc5e7c87dca5c08
Formbook
7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae
Formbook
891cd769c1731bfaa4051041a3f48cab616cadc9ddc94cc090d3d6d3194015fa
Formbook
8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2
Formbook
95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88
Formbook
c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511
Formbook
ccd1a40e599ad9f364ca70ef3d02b4850901fdeaddb5c9a4b66405e2bccc9ad2
Formbook
e2ebeb9d7ac12f7465a44a186f2bc83be704f09a003530f40474bb4546769124
Formbook
e7adb9ddc612bc2bbc52cc809b0a7b90c6f28f0b9df4fa767dccdab4d1d91c50
Formbook
f6dc39be69fcb6613defba0c9d8428d71c2a02b118383d4a49a66c6139e690fd
Formbook
+ 169 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201008-vr2c4kn2y6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
8fc52ab78b091873ee351be8fed2c5026d9fdae75ddfe910ea2b179843ca0c3f
MD5 hash:
4b645d82013cf24c3867952cd987bdcd
SHA1 hash:
3ea30ce676a15f8eeb3292af36203c909fb21117
Link:
https://www.unpac.me/results/721983a7-2053-47b8-886c-b39f4562aaf5/
SH256 hash:
76effe1881701b03efc1dfb10025680e3185a62289f97c35a0d517e74f082fea
MD5 hash:
9fdb78deb02a9a06c94367863043986b
SHA1 hash:
572eae872e3d2fddf6b79faee1d465f733c7cd7f
Link:
https://www.unpac.me/results/721983a7-2053-47b8-886c-b39f4562aaf5/
SH256 hash:
8ef09a465395d8886a838182f731f1c60c5ddd9ffd45ba616f69d6ca47c09046
MD5 hash:
2d8278ea531f022b331b2a2292551b32
SHA1 hash:
ce16139fe06abdd778901a52bb264f13098da02c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/721983a7-2053-47b8-886c-b39f4562aaf5/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/721983a7-2053-47b8-886c-b39f4562aaf5/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a
MD5 hash:
7a4f8f06291d4cff66c36c4963e2d0e6
SHA1 hash:
dfe8b19e175fb63bd891664e11e9f7fa646f4bf1
Link:
https://www.unpac.me/results/721983a7-2053-47b8-886c-b39f4562aaf5/
SH256 hash:
db33b1c3fc4f284a709d9da85eea6f5ee2ce10f88e8dccf23543a29df2c0c516
MD5 hash:
7bd8003167fea5893f7442f37d9dbf62
SHA1 hash:
2cbefbf52c7ae5a98025d4f7a71f1e594d1e065a
Link:
https://www.unpac.me/results/721983a7-2053-47b8-886c-b39f4562aaf5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fc52ab78b091873ee351be8fed2c5026d9fdae75ddfe910ea2b179843ca0c3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8fc52ab78b091873ee351be8fed2c5026d9fdae75ddfe910ea2b179843ca0c3f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/669466/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/69193/

Comments