MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765
SHA3-384 hash:	a479a6efea55ab0349bdc415367dd5fb245d91eaf410208157a76b6aa290eefdee4a62be230ee033a57f9601a54cb238
SHA1 hash:	53aa53db18e1de573863835b456c96c8dedc54d2
MD5 hash:	799847b23e8c374821c93ebebbedac53
humanhash:	beryllium-texas-minnesota-december
File name:	SecuriteInfo.com.Trojan.PackedNET.899.25889.4415
Download:	download sample
Signature	Formbook Create hunting rule
File size:	698'368 bytes
First seen:	2021-06-30 12:35:40 UTC
Last seen:	2021-06-30 13:38:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'240 x SnakeKeylogger)
ssdeep	12288:a+wAdWw9BbX5TyrQD+xdsJpqBu8ABBp8I2EOqUeXgL4Dr/1:a+wAdWkOQD8KTrVBBp8IdgRq/
Threatray	6'155 similar samples on MalwareBazaar
TLSH	B4E48D302BE85635E0B69FBDD5A1108197FDF623AF07D85D68B512C90712E83C9F262E
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.899.25889.4415

Verdict:

Malicious activity

Analysis date:

2021-06-30 12:47:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d8535558-04eb-40c8-bf97-2494fb1403cc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.899.25889.4415.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b85585da-e868-4f71-92de-9763d31eb0cb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/809942

Signature

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765/

Threat name:

ByteCode-MSIL.Trojan.Swotter

Status:

Malicious

First seen:

2021-06-30 12:36:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=saaat2yhfkq6wu3x7xij4wsnlxnj4j2vvcju7smyzqjehk34q5sq._file

Verdict:

malicious

Label(s):

formbook

Formbook

4ce1f9a687727f9368f45a6f985a208e545d07b7aeaf39ecc02f61e5c1062171

Formbook

4d90c368dbb4c085f00a9d323996a1c6235acd5afadcbcf935d0b56a432a3410

Formbook

5fc1f737492b4a7e01b1e2befa4e25b1a65c7a6a83b4ec419660d0c3c4894300

Formbook

74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677

Formbook

76f129a0fe66ce32231fd47a2e630b2a876e071c3851169f7e87babfa0b16360

Formbook

90d238a1c183586c60ffb6c1fb4786950483080240feca7fbf6d99ab98c64a6b

Formbook

ad2a5569cb14f86fe191f54f6fecb7bf1fe389418858f5fc72e6367c9780a9f0

Formbook

e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267

Formbook

f62f23f0f2a417ce32f3249502507a6036482bc41939eff23c92b1d5d44e480b

Formbook

+ 6'145 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210630-ny3p9e2qys/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.knighttechinca.com/dxe/

Unpacked files

SH256 hash:

82b76cb52e7135143e7e19e257d5eee8716e202521d37ec995ff5881d984bad3

MD5 hash:

83fe55a4dd78d4231a62124159d77652

SHA1 hash:

8f63071ec33d77fd671572fdd7f17a14b5fee00e

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/4ea5e23a-3b21-48b8-a99d-8f7d9dc3d3d1/

Parent samples :

f62f23f0f2a417ce32f3249502507a6036482bc41939eff23c92b1d5d44e480b
c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
eb3f64ec577c51957dfd0c55a431209e947c281c3a2a1f2d8514666530a0e608
f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
9624205b61e073bf50cf19e4c5412bf620218a2637315701c5fa78de627a5944
76f129a0fe66ce32231fd47a2e630b2a876e071c3851169f7e87babfa0b16360
25644ff35da89545c702b633182c4ff1f649dd64c9c8249be9afe7090359d87d
e780eec0d603f5a419530a5d2c6fd85c664ac0cac7f97ba1136263fe57ea5a64
900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765
52f12a925f53adafd752c33413413ea3928a53f124e9530909107b57527d75fd
bfcda678eede144bcbb62d4c257ed2e05a26a5087893f3dfb62273bace6fe872
443b7c4a47da2fccb7764deccda2bb60d217f1c25eb016870c7ec0f11d1c2b80
b506bb786b2b45d252f9886ad94e63cb60b60544dade0680b096f80c84cada7a
257a36fdd79cbf165caeda4a1efe458034d670b71060693fdb0d2a1bf0489aa5
cf22ce4f2db96effa84c70504160296e478ab07442b2c1f9ebcff92783c681a8

SH256 hash:

1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec

MD5 hash:

81faf15c7e3c9446d906659f7c7a9f16

SHA1 hash:

d7e05a22b109ce608109dc509029a7fe22b4b8bf

Link:

https://www.unpac.me/results/4ea5e23a-3b21-48b8-a99d-8f7d9dc3d3d1/

SH256 hash:

9a2d00192bf73c684e46917d07afad4dab27c7931932275e45a6ac098a3d17a1

MD5 hash:

70e592468c60175f57a864d8767c5605

SHA1 hash:

bed48c7e4d5022b19ac12463bfe39b0717a9ec51

Link:

https://www.unpac.me/results/4ea5e23a-3b21-48b8-a99d-8f7d9dc3d3d1/

SH256 hash:

900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765

MD5 hash:

799847b23e8c374821c93ebebbedac53

SHA1 hash:

53aa53db18e1de573863835b456c96c8dedc54d2

Link:

https://www.unpac.me/results/4ea5e23a-3b21-48b8-a99d-8f7d9dc3d3d1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample