MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA3-384 hash:	befe47105720e5c879ea17022f03081355e70a8d86ed70742c91fb8e229ba68927f0530681f6d7d11f742a7219559b31
SHA1 hash:	2b494db5e52b74df25ff068d0d2a3295aae4f658
MD5 hash:	2201881c6cc2de12c71f906e43178ef9
humanhash:	two-failed-pizza-april
File name:	SecuriteInfo.com.Trojan.Packed2.42850.4964.3326
Download:	download sample
Signature	Formbook Create hunting rule
File size:	687'616 bytes
First seen:	2021-02-23 13:55:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:wxwz1c/m/gGqitttttwgGTyWI+G4bNSrAxx3qK6L+/rKniN0s2sdUgBODIpFds5O:9dSTES5//6L/iYsGgBODIpFds5erS8
TLSH	60E4491063F98615F6FA2BB098BFDF701B727C92A835D25D1E8135DF2A71B408961B23
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42850.4964.3326.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/615362

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-02-23 11:44:49 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

2/5

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210223-6w6ysr3sr6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.aone223.com/67d/

Unpacked files

SH256 hash:

f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671

MD5 hash:

f984a71581f6da5732110be2a569a392

SHA1 hash:

10de05b6b35fc5dbc00c42d59a4b850bcaae01e6

Link:

https://www.unpac.me/results/a2d28ab4-b020-4743-ba1f-1e4f0968bf08/

SH256 hash:

7e99db7d924e1e97ea241199ec59a58d2f98b6599051774a2060b9b143bc2b3b

MD5 hash:

045e4a57a000507a495bbc7ee2afd6aa

SHA1 hash:

e2cb82714af8ac4d52933580e23ee2233d6760c0

Link:

https://www.unpac.me/results/a2d28ab4-b020-4743-ba1f-1e4f0968bf08/

SH256 hash:

17faa1d6403f13d26d3bf27e62242883ae8f26a97cbd094e6ac8f75d39b29dfe

MD5 hash:

d78cc2cf0a1d4219c3b9815c0c8235ed

SHA1 hash:

12ce985c7e6d6a9ac3e79f56745b907cbaf91736

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/a2d28ab4-b020-4743-ba1f-1e4f0968bf08/

Parent samples :

5ebb56bf6705acae0ea5adbb5f46f6c46527493abcf1482af9b10981a4e4298d
401df7c1ce321b7e1b72cad683db23e8d78d3a84523acc746d864f724a765cc6
24f65cdc73215c756025b3b584c9046b15a5feb7ee96a88d46c61a462cf46b49
2bde41794f3ec8ee0b4e4be924a18e9b55c9f61eed39f10d16bc0afd9e33ba48
945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

SH256 hash:

945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

MD5 hash:

2201881c6cc2de12c71f906e43178ef9

SHA1 hash:

2b494db5e52b74df25ff068d0d2a3295aae4f658

Link:

https://www.unpac.me/results/a2d28ab4-b020-4743-ba1f-1e4f0968bf08/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RSharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	identifiers for remote and gmremote

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1025369/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1025511/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample