MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments 1

SHA256 hash:	a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7
SHA3-384 hash:	52ed972bdae9cd1bc5b1b11afe7781777d3a6a2acb0faf8bb85ca73523b0271363922523e2bc20a99f074ae2a391c7f8
SHA1 hash:	4f20d0608bfd3d10a8ef00ed65d9cf51387c4e00
MD5 hash:	2aee5ea79b9327ec85da89421b92d219
humanhash:	avocado-cup-bluebird-diet
File name:	2aee5ea79b9327ec85da89421b92d219
Download:	download sample
Signature	Formbook Create hunting rule
File size:	547'840 bytes
First seen:	2021-09-01 15:20:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:trOuCAXO9G6myG5C0rkWw797CCf0bvCmmKa6e/jsFkYuSquA:1OSwG6zqFrkTN507CbKa6e
Threatray	8'753 similar samples on MalwareBazaar
TLSH	T1F6C4E04AB210B2DFC517C9768EA40C24AB61703B571BE307A45365ED9E0EA9BCF161F3
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2aee5ea79b9327ec85da89421b92d219

Verdict:

Suspicious activity

Analysis date:

2021-09-01 16:08:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fdb19962-83a8-43fe-8d55-675339ed5744

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/184506/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.16807.16629.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e6ce52dd-21c0-4d9f-be63-7b289c8c4b2e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/843462

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-01 15:21:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 43 (55.81%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

0ea81e325568a6d5c8ecde8ce0198dabe9553e237ef46b328240d7f51231d3bb

Formbook

11dde0ea97b2f63edbd9d6b42af105bff7fad9225396219a6de96cb8d51125d7

Formbook

39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f

Formbook

70d759be9f935d289ee1627038a118e9493d45ecebfcd477f0b43a8253afffb4

Formbook

73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9

Formbook

878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e

Formbook

924f1664b6169e8237010c409e5f7e492f406154939718ce7a6ebf24cb707e99

Formbook

c27adae0af4b3c5c71d33f4707fc1e0c51cd9ed61f88169014a6022fabc87dc8

Formbook

df19a60152fff0338d5ee7d2b969a4dbded6d3f2752ae246090e7e8f79c43815

Formbook

+ 8'743 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:mxwf rat spyware stealer trojan

Link:

https://tria.ge/reports/210901-jqcblrw1hj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.zahnimplantatangebotede.com/mxwf/

Unpacked files

SH256 hash:

58a8d91b66a32898bb3b9d29ad32ac91916d3c6ef814bf364c728fa70d068385

MD5 hash:

d4df5abbec423b07def7ab5d036f5dbe

SHA1 hash:

f082f1451a77d793ec3607fe801e4f67086c2977

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ca9344e8-5e34-4318-917f-ef56c8177d32/

Parent samples :

34ff91c0be47c6edae673081f4814ca9b7432d6db4975ab66a911f36fe481d70
7240d57a675a066d7dcb095a520ec2b86c2460080ccfbc759a9d404dec7d3817
0ea81e325568a6d5c8ecde8ce0198dabe9553e237ef46b328240d7f51231d3bb
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
35a776da3e6d2d8bcd69a7427ab25846c233403372bf3ecb6055c252ae696766
cc9460866fbf6ae7430f759bc11a90a3536a0032319f20757421a2e08f60faba
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
3f8cd22d1b3b93b4884c70e6a9c032d2d7e2bb341db8ea85d4c86b1d0e5cfaf9
0aa68b819455d1810d114c502d6a221d0da9320d506c31b9e83b7a488f46a954
c27adae0af4b3c5c71d33f4707fc1e0c51cd9ed61f88169014a6022fabc87dc8
70d759be9f935d289ee1627038a118e9493d45ecebfcd477f0b43a8253afffb4
df19a60152fff0338d5ee7d2b969a4dbded6d3f2752ae246090e7e8f79c43815
11dde0ea97b2f63edbd9d6b42af105bff7fad9225396219a6de96cb8d51125d7
924f1664b6169e8237010c409e5f7e492f406154939718ce7a6ebf24cb707e99
a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7
bd7323675e66df34d833d17897c6f98e9848dd062be6f299f482c09a90de4255
759cc43ff9429a9b6e48c20708461b7af39a106efbcb98d541c01d6c44ea9b3f
11c58c805f392c745057848c834966d60da68935cc077206951dbde69585ac6c
c32e7fab7c0e4d5aed13b94b07fcbf1f46106000bb2388301a0a2bcbc920c757
fcd82e581d68847a1f240bcf0123de948a8bde781a05fbbb805d0033bf91ff43
7287808b83f962ac07183a16ed4da5748e84b51946905ce0156c3b3b93ac9240
3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
e55a6e9d04d90fe3e41ce6b936bc7642dee3e7a804abfc7527ff74ee3062a1ea
41c5b0b2b9afd1f7dc207176e2a200042660dcdb02c745cc750e13f1d3ad7b01
51d534b716e35b643ac2a4aa73effe9607abfc61a36b7b4a423c9383002b755e
ee0d275c50b493cc73f73d19665d9b126e038a7ea1307043eb71442280f6bd7d
2486c4ebc2834ad7e9517107e7d7813fa1b84d5b2df4f928a0144b81d1273e8c
c4b1789371d832969f812bd0a577e380cdac00db6775d7fc251adf8d92c15d74
3cf411dfe4bd60c8bb4c7e0c77d0418c885e65570c7a5b8458d60cdf06423960
81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5
0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2
f0b80a2a51f2e8fa5ceb014b82d25cb1fbf586c85bdd35bf0b0ab165aa7cbc3a
221e9e3719749c7017ad2100a3d48e0ddb47824e02627fe859706fb591332849
eb1a7fdf49ef074c93385c99303fb92155f677f17c17dff1f1ad5967700d6410

SH256 hash:

9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99

MD5 hash:

db1ca79a10eb8debc020653b67a41ed4

SHA1 hash:

c9aff868749946879d85e0c75c11a085d3c244c2

Link:

https://www.unpac.me/results/ca9344e8-5e34-4318-917f-ef56c8177d32/

SH256 hash:

79cbcf6817d86b7d8cb0753e9639c4c8b1b0b7c4493d6454c5e6589638f68bb3

MD5 hash:

abbb5be568c755727cfeb096819c4534

SHA1 hash:

58a1178f766c158b9cca6a5ca52d1f532e5b73b4

Link:

https://www.unpac.me/results/ca9344e8-5e34-4318-917f-ef56c8177d32/

SH256 hash:

a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7

MD5 hash:

2aee5ea79b9327ec85da89421b92d219

SHA1 hash:

4f20d0608bfd3d10a8ef00ed65d9cf51387c4e00

Link:

https://www.unpac.me/results/ca9344e8-5e34-4318-917f-ef56c8177d32/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1583601/

Cape

https://www.capesandbox.com/analysis/184506/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-09-01 15:20:54 UTC

url : hxxp://lg-tv.tk/mazx.exe