MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354
SHA3-384 hash: c484abb78ed28417ae7c08d01d553aef228022d9cb43d1852134fc5095ce3719c070e1fcbda9ce3620894de74c612d56
SHA1 hash: 74a0be913b9a225dfd55d101749d6cfe06055192
MD5 hash: f147f68abd1778ab5137b18796eea5ed
humanhash: cardinal-washington-uniform-connecticut
File name:f147f68abd1778ab5137b18796eea5ed.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:501'248 bytes
First seen:2021-09-14 08:42:45 UTC
Last seen:2021-09-14 10:12:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PGk4DbF53e0IUFLbgQ+BuzPhe6We7bjx87YYTE:AvTAuD/Pq82E
Threatray 9'240 similar samples on MalwareBazaar
TLSH T168B4AD203DFB5129F1B3AFBA5AE0B5968A6FB6733613E45D144103870B13E81DE9173A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
famz12 4.doc
Verdict:
Malicious activity
Analysis date:
2021-09-14 08:04:02 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/4c12eb52-624b-47e7-a515-b376f134ce5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187770/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.21510.2268.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61750df5db358dd15ed92241/reports/9ecefd46-6137-487f-8854-5959c0aeaf8c/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0c4116d-98f8-4181-a76c-b52786413ee4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850501
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482932 Sample: G2aS9Rd9ys.exe Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 31 www.washablen95.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 11 other signatures 2->45 11 G2aS9Rd9ys.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...behaviorgraph2aS9Rd9ys.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 15 G2aS9Rd9ys.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 spnewslive.com 148.66.136.188, 49779, 80 AS-26496-GO-DADDY-COM-LLCUS Singapore 18->33 35 www.chicagousedcarsales.com 75.2.18.233, 49778, 80 AMAZON-02US United States 18->35 37 2 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-14 06:36:48 UTC
AV detection:
9 of 41 (21.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uta2n34as3anvjvafe4lktwrztnmcjjdo6sqqidqhygetjjv4nka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
004068094b6adb0e6548b6334afd2dad79312f09e94e04a1d1206874028bdda0
Formbook
031af74c61339ca40eda7563268d9e2e2803064c141d3c46eb20acad3764f4cc
Formbook
08ab0772922343044ef4200f262c6a99d69276d5e15e8a55b190fc23a901d926
Formbook
0a954ff882c7b2e4c6fdbdfa5254c5f54e0a1616ec9cf8bcd2c1652e903264c8
Formbook
21b29b3e6e8ea1f94e0d6944026efdccf89b7f35794478daccd05e2a00f222cb
Formbook
66e06710b095c687448e0b08240a99f84dfbfc24882a2c8c9f5b165f58469d8f
Formbook
72a002cd9cd49afe6f15c5dc2ad7e3f65471b21fd4331202183b87c7ebab7fe3
Formbook
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Formbook
ae5df8905dd1b9de509e6764dea4c5571916b1705a129bddf2f5e2e554552acb
Formbook
e17c6fdddc41bc1200df93f2303ea35ac0d230e04e7641f1b589bf2a9a7d1e3e
Formbook
+ 9'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fzsg rat spyware stealer trojan
Link:
https://tria.ge/reports/210914-kmk8esfdc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.smallandsmart-living.com/fzsg/
Unpacked files
SH256 hash:
5b4bc65f7ec26d65086afbeb4f7a4bd63731ac92c74d5790561a2bf2a40ef458
MD5 hash:
376e28f4231093c0b239d4c0e62bbbbf
SHA1 hash:
5b7b3e6a3526b4f81cabb2f65977ce4aac497b8f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6a2bddbb-59e0-47d3-a91c-db722b438bb8/
Parent samples :
08ab0772922343044ef4200f262c6a99d69276d5e15e8a55b190fc23a901d926
a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354
3a90232b1cc562fa333d9b401a6160d5de5b6be886768fae62bdae3d42ea42f6
SH256 hash:
0937e08f6858b18ce42344d8ed4cfe6189b7bc718029dbefca1cdce13a70559e
MD5 hash:
e39280927a76d8485736107be4baae28
SHA1 hash:
fb172374a19f27c79e68f9c066d5e4014cbcc247
Link:
https://www.unpac.me/results/6a2bddbb-59e0-47d3-a91c-db722b438bb8/
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/6a2bddbb-59e0-47d3-a91c-db722b438bb8/
SH256 hash:
a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354
MD5 hash:
f147f68abd1778ab5137b18796eea5ed
SHA1 hash:
74a0be913b9a225dfd55d101749d6cfe06055192
Link:
https://www.unpac.me/results/6a2bddbb-59e0-47d3-a91c-db722b438bb8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a4c1a6ef8096c0daa6a02938b54ed1ccdac1252377a50820703e0c49a535e354

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1599299/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/187770/

Comments