MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a14ae718bd486d1db0ac41a00f37ce34808fd267ee1286663a00f1baea7069d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	a14ae718bd486d1db0ac41a00f37ce34808fd267ee1286663a00f1baea7069d5
SHA3-384 hash:	9fa6d599aa997250d7612f5e06f823aedddab40678ab2c18eb144a252de8fb641a8efbe9e349ed65bcc5ac95e7ac8515
SHA1 hash:	f7eca23cd503d889056cb95d4a6f3651892c261a
MD5 hash:	44842fa85b4ff61606bb2dca661374c9
humanhash:	monkey-enemy-oranges-grey
File name:	SecuriteInfo.com.W32.MSIL_Kryptik.CYQ.genEldorado.6066.16621
Download:	download sample
Signature	Formbook Create hunting rule
File size:	767'488 bytes
First seen:	2021-04-25 23:38:56 UTC
Last seen:	2021-04-26 12:43:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:QdH5J0y0FtwnoFEbL7caQTvLV4O0PBxE+ofdyGzZl8kSAFgzc6:QdH5J0y03EKfaQTW8+opcA
Threatray	4'781 similar samples on MalwareBazaar
TLSH	F1F4E121629ADFA5E47D977A90244944C3F5FD2BE732E68D7DC9B0A90B73F804212B13
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.MSIL_Kryptik.CYQ.genEldorado.6066.16621

Verdict:

Malicious activity

Analysis date:

2021-04-25 23:41:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8a1ba9c0-2e3e-4c9b-9e50-dab36cf8194f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/144118/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.CYQ.genEldorado.6066.16621.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/697159

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a14ae718bd486d1db0ac41a00f37ce34808fd267ee1286663a00f1baea7069d5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-25 21:11:30 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uffoogf5jbwr3mfmigqa6n6ogsai7uth5yjimzr2ady3v2tqnhkq._file

Verdict:

malicious

Formbook

03805a08ddc03ad125ae1566868e0ccde7965350d760dc212a224ab10520a2d8

Formbook

494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535

Formbook

625140ec60caaae03895c18ad400c65f5d5b15f55c7a01eb419a4215d295a6ee

Formbook

70def7c02d96cb8aab6702e0d6f32c72d7fafbd2b883e09007de9fe204cd3f59

Formbook

a48a4f0d917d131353d46e23144550e83a39b26ab311287e4cdff30c009d5f66

Formbook

a64fb325fa611518c20644dfbe5728eb7767caeb63df08c4935dec5fc4ffe988

Formbook

e069440cfd88504140f6315acc7174bd0dd961f070ccbf9b9b82c2e01af8113d

Formbook

ecc540938addc1a440ef6ceb7714a0b45153c04c28df4395e3de18181439341a

Formbook

fb17b85aa2aeaa59cb6db3e1c6eb68f83a570b5de3f10d3b09dd47a4aebdedea

Formbook

+ 4'771 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210425-lewsxn2kpn/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://w��5 �@q[*��S=��m

Unpacked files

SH256 hash:

e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39

MD5 hash:

efb0de4397ea61e17d262e278b53ff86

SHA1 hash:

727fdf2ceb13262d56bdda24a02564fb3e80c8b0

Link:

https://www.unpac.me/results/3b8c5d81-fa87-40b8-a371-7878965e2dd3/

SH256 hash:

a14ae718bd486d1db0ac41a00f37ce34808fd267ee1286663a00f1baea7069d5

MD5 hash:

44842fa85b4ff61606bb2dca661374c9

SHA1 hash:

f7eca23cd503d889056cb95d4a6f3651892c261a

Link:

https://www.unpac.me/results/3b8c5d81-fa87-40b8-a371-7878965e2dd3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a14ae718bd486d1db0ac41a00f37ce34808fd267ee1286663a00f1baea7069d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/144118/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample