MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575
SHA3-384 hash: 7d9e03321454369a3057790cd645282c5eacc951104982e4a2aada862f7aaa19416893c4b45f1565975875370636c395
SHA1 hash: da9bf145c66812e148fb70f1b36badabd9aa4989
MD5 hash: 6e2d67b23e4bc268bbf9c83e15dc4154
humanhash: asparagus-delta-virginia-floor
File name:6e2d67b23e4bc268bbf9c83e15dc4154
Download: download sample
Signature Formbook
Create hunting rule
File size:520'704 bytes
First seen:2022-04-08 09:47:38 UTC
Last seen:2022-04-08 09:51:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:K5TE0ZQ7y6+8d4ubuhcR7ODkhvGt82AxyWDIeThZOv3:ATEd+m4zq72knbMWY
Threatray 14'644 similar samples on MalwareBazaar
TLSH T1CEB4014DFB56BDE8E85A43B839719C133F23D51365FDADAC2089626A0C7520250EBDCB
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
feb.exe
Verdict:
Malicious activity
Analysis date:
2022-04-08 05:24:25 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/3633000f-14a6-4102-9188-2629e72b18a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262062/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/625004e8cccdcb99472a1624/reports/a194d535-661b-4679-a9c0-249029428295/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cae72ea0-298c-4f3e-a986-ecf0e08c44fe
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/973111
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 605597 Sample: fXcgKX4eD1 Startdate: 08/04/2022 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 13 other signatures 2->56 10 fXcgKX4eD1.exe 7 2->10         started        process3 file4 38 C:\Users\user\AppData\...\CsopCqipvdNh.exe, PE32 10->38 dropped 40 C:\Users\...\CsopCqipvdNh.exe:Zone.Identifier, ASCII 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmpB4FF.tmp, XML 10->42 dropped 44 C:\Users\user\AppData\...\fXcgKX4eD1.exe.log, ASCII 10->44 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 10->60 62 Writes to foreign memory regions 10->62 64 Allocates memory in foreign processes 10->64 66 2 other signatures 10->66 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        19 powershell.exe 25 10->19         started        21 schtasks.exe 1 10->21         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Queues an APC in another process (thread injection) 14->72 23 explorer.exe 14->23 injected 74 Tries to detect virtualization through RDTSC time measurements 17->74 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        process8 dnsIp9 46 zakladmalarstwa.com 46.41.159.182, 49766, 80 HOMEPL-ASPL Poland 23->46 48 www.zakladmalarstwa.com 23->48 58 System process connects to network (likely due to code injection or exploit) 23->58 31 svchost.exe 23->31         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 31->76 78 Maps a DLL or memory area into another process 31->78 80 Tries to detect virtualization through RDTSC time measurements 31->80 34 cmd.exe 1 31->34         started        process13 process14 36 conhost.exe 34->36         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-07 17:30:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdawkr7fe67ajr735jiv7doovhyagu57iokozvc7renla4efwv2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05a096d0b32ba6a4ef81bdf3794aaaffbae69c71c7bbe9506db9ebe30e168e4e
Formbook
12aeb7008ac969d3fa71cd68a9280ce4a2684599e61e0b5c321627e924848bf8
Formbook
3bf15d5b8ab7b88887aa29649773482b57ccb34097bb4df35b46081127b47e74
Formbook
48d338ba06ada3da080eeeddb8a267b1b677dc9c3670f13e333ec8c73ff1b02c
Formbook
4ea32ccd68ea4437adbb5639bbbd2a0098107f16b851ac463a136ec5ecba796a
Formbook
5c4b6b6b72e020bea0a32b9ca0542bd404e91eff6344648aae077ad332593744
Formbook
a893ba5218f2456a154c43c363d391a3117638c8f300cac0b44ec74c4a56be8c
Formbook
e72916e74e18d79c2ddbd591ba7dd7e5f45bf33cd89d2dcc64361dffc47a875f
Formbook
+ 14'634 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s4s9 rat spyware stealer trojan
Link:
https://tria.ge/reports/220408-lssecsbgc7/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
Unpacked files
SH256 hash:
5d6151c285d473e8648d4a06ac29ef6a0267a124cf586b483d4c897c8a99b11d
MD5 hash:
746b4d06c36ac62b133dac83ffa9a538
SHA1 hash:
ed219881ccb01f440abc4f60bfcf212de308facb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e85d8271-296e-4832-bced-51f6d3f191b0/
Parent samples :
90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575
b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab
56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6
SH256 hash:
087f0eb24abcacc65233c562bd0c1a460b96088a7e109d7c4a82e2856a6a4ab5
MD5 hash:
47adeefabf8f6bdd13bf499ebe47ca74
SHA1 hash:
d6e2bf412906c533eb92839a68166e6a4585c7e6
Link:
https://www.unpac.me/results/e85d8271-296e-4832-bced-51f6d3f191b0/
SH256 hash:
e11871df824c3130e35f2c94d672404e18ebefddf3172d166f2e640ad3686c73
MD5 hash:
4379771ccd9b927712ef2505214161df
SHA1 hash:
6636b7b80e279de67c60b52277f566463afebf8e
Link:
https://www.unpac.me/results/e85d8271-296e-4832-bced-51f6d3f191b0/
SH256 hash:
874958a2dca5692c3b52933c0543d6a408d79b649ad038d5a2108408df559b0a
MD5 hash:
b96e59e4a86c22ecf781346e66286724
SHA1 hash:
531fda9644f65f2772c51b46b43d73cbf3eb3c59
Link:
https://www.unpac.me/results/e85d8271-296e-4832-bced-51f6d3f191b0/
SH256 hash:
90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575
MD5 hash:
6e2d67b23e4bc268bbf9c83e15dc4154
SHA1 hash:
da9bf145c66812e148fb70f1b36badabd9aa4989
Link:
https://www.unpac.me/results/e85d8271-296e-4832-bced-51f6d3f191b0/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/90c16547e527/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2137134/
Cape
Cape
https://www.capesandbox.com/analysis/262062/

Comments


Avatar
zbet commented on 2022-04-08 09:47:40 UTC

url : hxxp://172.245.27.28/f/feb.exe