MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94f4b931ab13da0c4550c0790798b75d9b0f6517f7bbd32dc6a110125130931e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94f4b931ab13da0c4550c0790798b75d9b0f6517f7bbd32dc6a110125130931e
SHA3-384 hash: a8a375eaf31a9ee640083672b167a85b18d8c149bdf3c6646bb5eda9121022eaaecf5477a0dbfb0b6a6dbf9e0f4ac5c1
SHA1 hash: 7d1ab1b7a06fed1cfcaef94077cd0ae912ea99eb
MD5 hash: ec7a7e9dcc807622e879d90eacd3ce87
humanhash: massachusetts-tango-glucose-michigan
File name:SecuriteInfo.com.generic.ml.18978
Download: download sample
Signature Formbook
Create hunting rule
File size:713'728 bytes
First seen:2021-02-06 00:59:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wMWpgRiRBlWGynhQeBcEJgEE8IkcDxDpk88OuJ75Tdg4R:wM4RLlynhQ+BjIBD58OuJ75pg4R
Threatray 3'764 similar samples on MalwareBazaar
TLSH 99E4CF6A374FBBD0E5BD93B84020013053F4F726D723DA8DBCE910EC5A667818762A6D
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.generic.ml.18978
Verdict:
Malicious activity
Analysis date:
2021-02-06 01:02:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5031af8-c1e3-4b6c-828e-7f55d1b28bad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115907/
Detection(s):
SecuriteInfo.com.generic.ml.18978.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600974
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349507 Sample: SecuriteInfo.com.generic.ml.18978 Startdate: 06/02/2021 Architecture: WINDOWS Score: 100 39 www.dopefuse.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 9 other signatures 2->53 11 SecuriteInfo.com.generic.ml.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\iieTdseY.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\...\tmpA3AB.tmp, XML 11->35 dropped 37 C:\...\SecuriteInfo.com.generic.ml.exe.log, ASCII 11->37 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 15 SecuriteInfo.com.generic.ml.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 41 fhehsjeh.com 34.102.136.180, 49740, 49741, 80 GOOGLEUS United States 20->41 43 www.codedlock.com 45.88.202.115, 49735, 80 ANONYMIZEEpikNetworkCH Switzerland 20->43 45 7 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 26 mstsc.exe 20->26         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94f4b931ab13da0c4550c0790798b75d9b0f6517f7bbd32dc6a110125130931e/
Threat name:
ByteCode-MSIL.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 21:34:33 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01d1722f7b547ae7024d2cb81993305f9d6aca06a1a3a32d230f9f630579327e
Formbook
28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069
Formbook
47a5d8f12a7f88e97420e20809ae248ad42eaffda90df839d921caed39796f45
Formbook
4c51f78fbe90c4455d1a0c1f45ff575571974df030b1ea188bf9ab67f4552c68
Formbook
5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2
Formbook
5718e1407d78fa10c9f60928d72d6c67e3555f740ae84f9d81c5516b2a466385
Formbook
970aa1ea39079684830789ad8c5c9cbf9777b65fdb44130aa8bbe4b88245e6fc
Formbook
a216d77105e1dc5bc366954d4b98f200090e0d83b47bc2e162e8a992f1de4bf3
Formbook
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Formbook
ee40683e96581996668cca3117c6c9759c590aab40cc4871a6f60275f725ab6e
Formbook
+ 3'754 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210206-xqlxbwrdk2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.guanmei2020.com/dyt/
Unpacked files
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/692fd650-5b15-4858-8333-29cd04dc1624/
SH256 hash:
32d2d3d2b147fec6b00ccb8f18897d0fd6b572ef67ec824ace2062b593ed7733
MD5 hash:
32b39e18e438015b118c0affc8f30438
SHA1 hash:
527db3d073f809c10cb8f17fb595437374b739c5
Link:
https://www.unpac.me/results/692fd650-5b15-4858-8333-29cd04dc1624/
SH256 hash:
b145bd37554c8aec6992a656972f855e2303090d34d169658386b6765c42b6ab
MD5 hash:
3e6a50358de402e52ba07d9e785ba85f
SHA1 hash:
b6c364671cedde5a1bd9035967f05bd3950d9a64
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/692fd650-5b15-4858-8333-29cd04dc1624/
SH256 hash:
94f4b931ab13da0c4550c0790798b75d9b0f6517f7bbd32dc6a110125130931e
MD5 hash:
ec7a7e9dcc807622e879d90eacd3ce87
SHA1 hash:
7d1ab1b7a06fed1cfcaef94077cd0ae912ea99eb
Link:
https://www.unpac.me/results/692fd650-5b15-4858-8333-29cd04dc1624/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Starter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94f4b931ab13da0c4550c0790798b75d9b0f6517f7bbd32dc6a110125130931e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 94f4b931ab13da0c4550c0790798b75d9b0f6517f7bbd32dc6a110125130931e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/115907/
  
URLhaus
https://urlhaus.abuse.ch/url/991615/
  
Delivery method
Distributed via web download

Comments