MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
SHA3-384 hash: 93c566a5a11dff529e7db62cb65fa9187da44e1f2cb4dee4944e742f6cc7ac4b498071fa02289945acef0b7fb875cd77
SHA1 hash: 569f0fdbf99d05af519759f9b0bf392d8e6608ed
MD5 hash: e7ab6f20b9320cf5f2537f2e402bb106
humanhash: beryllium-fifteen-beryllium-sink
File name:e7ab6f20b9320cf5f2537f2e402bb106
Download: download sample
Signature Formbook
Create hunting rule
File size:969'216 bytes
First seen:2021-06-22 13:41:31 UTC
Last seen:2021-06-22 14:42:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:3jfWFHmDuSMPQipP5yXoX7vqT23gUcAPscKxGi47UMuEo5e:0HwRipQ4X0c19PsAaEoQ
Threatray 5'891 similar samples on MalwareBazaar
TLSH 1B25A0160ECF422EE2758EB657B0FC47C3B65EA62A05B2112DC032ADC6375DADCEE511
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e7ab6f20b9320cf5f2537f2e402bb106
Verdict:
Suspicious activity
Analysis date:
2021-06-22 13:45:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a336ff2-555f-481a-ae54-ba3535dcb02d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167581/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader39.59262.10489.29876.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fed6e12-d607-4c9c-93d2-d80ab6e19e5e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805989
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 11:05:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
046bf8a6c9bc47b10b80a2ca83289714a931b5d10d864e02d2e20fdc09301108
Formbook
5180e6ef19db039d8365f3cb9690424e61504a80ab94a12738a633b6cdc5fccb
Formbook
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
6f699e2d98b52c522781d82018713d76762429a68bc236f5a155c275ba7b5268
Formbook
726a3798f80c7e482b512dc777bc692965136190990a5fed138934a546944121
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
94827e12d128626a8d64286432a73293f76cb45c1f523ff0ad7e67b90802a123
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
abe3945460e661e29e3e235bda3144691f263414e49e0976b67d752166274565
Formbook
+ 5'881 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210622-55s7yh4zre/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dragonpalcenk.com/k8n/
Unpacked files
SH256 hash:
a2aaf9064d161919fbcbb6932210370dce36ffd64d6a960b47dbddfaca3dcb25
MD5 hash:
2707aeb8e691efe7687a4d3f0596433a
SHA1 hash:
0c93f6efc025d01ce676fc4d970bffcae34d783b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/61488e14-1408-47d4-9b07-5c75fe04f60e/
Parent samples :
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
SH256 hash:
0631ef0bc561b0ac43381f9b0a88fad11aaa0eb3364307696a5d18ef90e2022a
MD5 hash:
21ab7434f41f0b63cf977753470bda9e
SHA1 hash:
aebf64ddc4959f1b63bc922829ed87743f12821f
Link:
https://www.unpac.me/results/61488e14-1408-47d4-9b07-5c75fe04f60e/
SH256 hash:
1f84b701558f32d4fa194fdad3805b95626ffeb13f329f4c1a7574d6b7d1ea13
MD5 hash:
fd0e363f31606c764bb52e14bd7e6314
SHA1 hash:
56c35d8e5ccbe0a123ccdc60c970e1b556332ca1
Link:
https://www.unpac.me/results/61488e14-1408-47d4-9b07-5c75fe04f60e/
SH256 hash:
9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44
MD5 hash:
e7ab6f20b9320cf5f2537f2e402bb106
SHA1 hash:
569f0fdbf99d05af519759f9b0bf392d8e6608ed
Link:
https://www.unpac.me/results/61488e14-1408-47d4-9b07-5c75fe04f60e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9f7fd0ad05c3b8f6d3945a0753b7b20fc53528cfbf7c8b4a2ab7f49795937b44

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1388354/
Cape
Cape
https://www.capesandbox.com/analysis/167581/

Comments