MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611
SHA3-384 hash:	7270c6160dd3823c794f61480506f44a52153a1790b8e81506699150486d3a7e8cd75f880202a09ed3228eaa31c293bb
SHA1 hash:	cc9afc2852a585ee92e5b7672d2512594beb0e7c
MD5 hash:	cf974c196261bfc1ade688e9d438cc85
humanhash:	hamper-victor-ten-hot
File name:	PO#CR21-1178321 -pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	502'272 bytes
First seen:	2022-03-30 15:27:07 UTC
Last seen:	2022-03-30 16:37:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:L+KXZVJ+nKIWefdLsADm922r8vcmfOspzbOCR8fcs32wxN:CQZVAlf5m9NspzbOCRja
Threatray	13'931 similar samples on MalwareBazaar
TLSH	T1AEB4130262E4552ED1FE8B3F5471821013FDAB3BB502D70DABE130DD99E938952B19E7
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

164

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/259736/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn34.22423.21757.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit obfuscated packed

Link:

https://www.filescan.io/uploads/624477049253b276b7a8f33d/reports/01c9240e-16e4-4fdc-9f21-edd158737083/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce4042b8-6481-4370-9fac-b253db13a978

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/967700

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-30 15:28:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sg66hysiwkcqutdyajyqnwfuyc3lujqe7uekbikpwrnyugzikyiq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0a08e1464585333f5b4cb67d2150a488119fa971a878ad87c277197dbb453b93

Formbook

198a4a7609ba35046466d687d1c79c8ff4dcb0818ab256b1715a3677d23eba9c

Formbook

54cfa1f93d985c0bf952e00247f781f36988dffec0cb8d83f79fa3e41d98b335

Formbook

633caade7dd7f37b7795be2142a7f0ef66259b65b1095b23a2070f02446f8414

Formbook

6b9529ef9582e73d4ac7bc63d46bd152a1bc894ce781308b8798ea9689312e60

Formbook

c0f665918f4ea75327960ddf58cf37e415a6bf6569a4c22aa6291fbac9d171ce

Formbook

d1f436b64d16179e0491d6f691c305b31f05d69a446045dcca7dd3f388559ac5

Formbook

+ 13'921 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:o0i7 rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220330-swbdkshfdp/

Behaviour

Creates scheduled task(s)

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

0dd9623e53597656bf225ec182197137b77b54f475f386f57b563ea9d2f7d243

MD5 hash:

d81057c81549d2d721394f92d36dc407

SHA1 hash:

77405f30b5b7a678b2f23b65ee5805c5e31ae031

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/be88cc98-fabf-42c7-92c3-cc12cf41067a/

Parent samples :

633caade7dd7f37b7795be2142a7f0ef66259b65b1095b23a2070f02446f8414
e92ff5ee8d681a705f2fe24cd61375479b2221cf29738439839ce8ee5f3f9c5f
41573d104263a727eca5295cd59bf91c93d2a24ddb024d84f97244bc120036e2
81626ff8f2f5eb89a55ac197d51ab0d35c33e0607c9fd2a7077ac834a1a5c926
6b9529ef9582e73d4ac7bc63d46bd152a1bc894ce781308b8798ea9689312e60
0082123fa15fb43d060c2f764bdd9f31a19e53b185e5f6de37d1dfec2f59504f
91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611
ca7d37a30904725a82277567c30ba0fe5b441dad6d86d48afc3a954e8fdbd78f
044dd751a59cd849c84966a8ec5a6f65435cbd39af7696029a3ef2583819d1f4

SH256 hash:

0bed9dc284b61aec97c38ae1bb956d5b3f59b97b8795975c2f528838d2ba2003

MD5 hash:

cceb1d40f1d8c081085f7a6171627eb7

SHA1 hash:

a082276102101a49da31b2e2f61f7af7c6988758

Link:

https://www.unpac.me/results/be88cc98-fabf-42c7-92c3-cc12cf41067a/

SH256 hash:

613b2819d35360cbfe6c94b2b998d1a4998c89f5bdef505e0e158e1288ab684c

MD5 hash:

3096cbaf4b5d40f9c61bf7ce13fde62f

SHA1 hash:

6b3c580e51fd306bfdc2e727ca3bc7805aba4b53

Link:

https://www.unpac.me/results/be88cc98-fabf-42c7-92c3-cc12cf41067a/

SH256 hash:

6f2c7b401681a582e19d352ebc8e5111f34f254b874d486f681a6fba3c473dc4

MD5 hash:

f34061d91c54b7d40e664f2e3437fa22

SHA1 hash:

6456db1e5132c884ea8e8e2a6e6c5dd9f15b2a39

Link:

https://www.unpac.me/results/be88cc98-fabf-42c7-92c3-cc12cf41067a/

SH256 hash:

91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611

MD5 hash:

cf974c196261bfc1ade688e9d438cc85

SHA1 hash:

cc9afc2852a585ee92e5b7672d2512594beb0e7c

Link:

https://www.unpac.me/results/be88cc98-fabf-42c7-92c3-cc12cf41067a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/91bde3e248b2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 91bde3e248b2850a4c78027106d8b4c0b6ba2604fd08a0a14fb45b8a1b285611

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/259736/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample