MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406
SHA3-384 hash: 37f62073610128176c7dd98ae688533b4c958cb12a6c16a260e34f2f26eddf876007ec3562b14ede5fcd81a1b2e77c53
SHA1 hash: 0d34939e91c6602c9a6e597cbd11a8bfdbf2cca5
MD5 hash: 8e5d6b2296ea685b38bbec27e7be6949
humanhash: emma-bulldog-social-yellow
File name:банковский перевод pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:562'688 bytes
First seen:2021-04-08 16:45:44 UTC
Last seen:2021-04-08 16:56:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6GlxSAkV97XqUzVxR99bnTGzcCb1dhkOb8mCX4il:rlxSvTzFTGz5brhkIK/
Threatray 4'609 similar samples on MalwareBazaar
TLSH 7FC4022523A88F18D47CEB38503091003BF9BE56A736DB8EADD131DE5A32F458B56B53
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
банковский перевод pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 17:04:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d52ada7d-5b20-441f-8ff2-3174b2074cc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133269/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.634-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/670545
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384215 Sample: 0434 pdf.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 43 www.blackllamarecords.com 2->43 45 blackllamarecords.com 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 9 other signatures 2->59 11 0434 pdf.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\exvRPxlk.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmpD3B2.tmp, XML 11->39 dropped 41 C:\Users\user\AppData\...\0434 pdf.exe.log, ASCII 11->41 dropped 65 Writes to foreign memory regions 11->65 67 Injects a PE file into a foreign processes 11->67 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        20 schtasks.exe 1 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 Queues an APC in another process (thread injection) 15->81 24 explorer.exe 15->24 injected 83 Tries to detect virtualization through RDTSC time measurements 18->83 28 conhost.exe 20->28         started        process9 dnsIp10 47 www.bitinnovo.com 209.99.64.55, 49706, 80 CONFLUENCE-NETWORK-INCVG United States 24->47 49 www.saint-elmos.club 24->49 51 2 other IPs or domains 24->51 61 System process connects to network (likely due to code injection or exploit) 24->61 63 Uses ipconfig to lookup or modify the Windows network settings 24->63 30 ipconfig.exe 24->30         started        signatures11 process12 signatures13 69 Modifies the context of a thread in another process (thread injection) 30->69 71 Maps a DLL or memory area into another process 30->71 73 Tries to detect virtualization through RDTSC time measurements 30->73 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 06:19:26 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgsardpenbjvdh3rirrotdz7rk6qtss4ogidmoiihtb6ca3kqqda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
Formbook
3b6134b61b84f0653135f7372c8fafe9dd0a35cd658a510de22b9dd9f8bf6257
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
78f83f782f8d2077dd50d65badb4ed36ec24c029241287f76560e60733b61c29
Formbook
8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
Formbook
851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376
Formbook
b69927fbfd7eb038b59aa9b7e9f49cb02d127d48fcf6517e65a379e982e806bc
Formbook
cdcb4d8c4292e945bd519f6d50039a4f5fc933b909eacd6ac1286fbf1ff2142a
Formbook
d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Formbook
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
Formbook
+ 4'599 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210408-4hj8l5z776/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ostecosarcomamd.com/gmn/
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/949cc942-a324-4e8d-9109-0e6bcf09b0f6/
SH256 hash:
91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406
MD5 hash:
8e5d6b2296ea685b38bbec27e7be6949
SHA1 hash:
0d34939e91c6602c9a6e597cbd11a8bfdbf2cca5
Link:
https://www.unpac.me/results/949cc942-a324-4e8d-9109-0e6bcf09b0f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1f1787cae61d24e9c6ad9baa35219d66b2c67973d43286b44cd07b5673d4bd62

Formbook

Executable exe 91a4088de46853519f714462e98f3f8abd09ca5c71903639083cc3e1036a8406

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1f1787cae61d24e9c6ad9baa35219d66b2c67973d43286b44cd07b5673d4bd62
Cape
Cape
https://www.capesandbox.com/analysis/133269/

Comments