MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6aeb5cf114a71fa601383fc9ffe44b7011dd109df868f984b05917dbd23cff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6aeb5cf114a71fa601383fc9ffe44b7011dd109df868f984b05917dbd23cff4
SHA3-384 hash: 0824c12d3452ea68dd974947d49cc5b167e00c639b872f613858b2e8dfcacb0d35a19d547c79b8a78534f3cb017e773c
SHA1 hash: 9fe6c7765b0fdeacb868eb938801eb6e039dd49e
MD5 hash: 3af30bea9bd6c42df28deb8b6da69188
humanhash: ohio-north-mike-april
File name:3af30bea9bd6c42df28deb8b6da69188.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:515'584 bytes
First seen:2021-02-11 11:07:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:28Zi970+pveLZyHaRUgDTPU6p6D4Ze+XpU4UKI7EGoLn:dZApvIZy6CWTPTy3+Z1UKIgGo
Threatray 3'822 similar samples on MalwareBazaar
TLSH B1B402291FBC9E56D3697F790E70E21463F9D2011E1AC30ADFA42CDD966AFCC5AC0681
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3af30bea9bd6c42df28deb8b6da69188.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-11 11:14:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e8f8a41-3a28-4b7d-aeb2-0093e993c02c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116809/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605752
Signature
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 351914 Sample: 2H2JIKQ8tN.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 100 31 www.tbfctenterprise.com 2->31 33 tbfctenterprise.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 2H2JIKQ8tN.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\2H2JIKQ8tN.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 15 2H2JIKQ8tN.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.biayar.com 91.195.241.137, 49732, 80 SEDO-ASDE Germany 18->35 37 tbfctenterprise.com 34.102.136.180, 49741, 49746, 49747 GOOGLEUS United States 18->37 39 7 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cscript.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a6aeb5cf114a71fa601383fc9ffe44b7011dd109df868f984b05917dbd23cff4/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 09:45:42 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2xlltyrjjy7uyatqp6j77sew4ar3uij36di7gclawix3pjdz72a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18030a9ea4cf60ea858db8b302cdd94962069f232be6212787ad1ddca0bbbe54
Formbook
420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
Formbook
563bb7942710f08ce409f8418fd0d917877998c978ab0155cb3c1b5eec3b1e7b
Formbook
67796c5703511869c9ca00f5430d97318529e31a44d4553f2fc647ae9c3814d4
Formbook
8e36fffa202c9e53540594a8032a2c13751dc6088007f62e7cdd08eea6d71c27
Formbook
970aa1ea39079684830789ad8c5c9cbf9777b65fdb44130aa8bbe4b88245e6fc
Formbook
a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda
Formbook
d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
Formbook
f03ce9b002d389709422b30388879f944410b91496c44cb29dbeeef0788b8987
Formbook
f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
Formbook
+ 3'812 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210211-vzemglcyae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.dehuifx.net/gcp/
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/c6a68337-6601-4d20-ba2b-c84f677ef8ec/
SH256 hash:
a6aeb5cf114a71fa601383fc9ffe44b7011dd109df868f984b05917dbd23cff4
MD5 hash:
3af30bea9bd6c42df28deb8b6da69188
SHA1 hash:
9fe6c7765b0fdeacb868eb938801eb6e039dd49e
Link:
https://www.unpac.me/results/c6a68337-6601-4d20-ba2b-c84f677ef8ec/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a6aeb5cf114a71fa601383fc9ffe44b7011dd109df868f984b05917dbd23cff4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000560/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116809/

Comments