MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea
SHA3-384 hash: ee1d22081563e9a7983e21375f9683e71eaac1cc351e2fe1520efce1b0729adc04f571eefdf738e656adea62701f6bf2
SHA1 hash: e8526b0fecfe9b71797d43fb08b85515e03fc037
MD5 hash: 8c5350abb9e91109f0801109653bdaed
humanhash: mexico-eight-white-shade
File name:8c5350abb9e91109f0801109653bdaed
Download: download sample
Signature Formbook
Create hunting rule
File size:367'104 bytes
First seen:2021-11-16 10:21:02 UTC
Last seen:2021-11-16 17:18:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:/l0UmuDw4ew3l+ts+7hZTjWOEov4XgeVtAPGRgZzwIc3u0zyytWHC:/zmuDwY3QtNVZTy1ovLKq+RE3c+6yuF
Threatray 11'298 similar samples on MalwareBazaar
TLSH T16B7412165BBD4A12EA3B4FFEA030111613F5951A2213F78A0FE5E4DF3F62F919601A63
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206297/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.1029.4592.23396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6193861043e8f62b66952551/reports/87cc8c90-cc5a-4802-9fe2-099bad19a13b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62320c1f-2eb2-4a5b-b2bc-93b916096438
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890281
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 522754 Sample: ryCnT12xpf Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 7 other signatures 2->39 10 ryCnT12xpf.exe 3 2->10         started        process3 file4 29 C:\Users\user\AppData\...\ryCnT12xpf.exe.log, ASCII 10->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 14 ryCnT12xpf.exe 10->14         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 14->53 55 Maps a DLL or memory area into another process 14->55 57 Sample uses process hollowing technique 14->57 59 Queues an APC in another process (thread injection) 14->59 17 explorer.exe 14->17 injected process8 process9 19 svchost.exe 17->19         started        signatures10 41 Self deletion via cmd delete 19->41 43 Modifies the context of a thread in another process (thread injection) 19->43 45 Maps a DLL or memory area into another process 19->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 22 explorer.exe 2 150 19->22         started        25 cmd.exe 1 19->25         started        process11 dnsIp12 31 192.168.2.1 unknown unknown 22->31 27 conhost.exe 25->27         started        process13
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 10:21:04 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
46a0a8595dccf134213c2e9ae10dd6fdd8e3ff5f0cb1b01014a6b67e31927eec
Formbook
65acd8c73c518c97a1539bc8e3f62fb8f06431d7030c6cc1463c855aec0ec46f
Formbook
6bce7b4a9dc4b092b2940ee941b8defdc5d60c56a57b2621aa3ac6b957e3cdfd
Formbook
779b3d4b4260713c0311e93b9cfc9c91c74242f608d2024f7d257b00f6e7b94c
Formbook
9f6277c9f028bd5ba1acf206a4d9dc8ffcd0624240c095445607bf59de709a6f
Formbook
b0cfa1848c7b08eb881e615731493df57963468fa3fb461ebf1468271dd17a14
Formbook
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
Formbook
cce115dcfb19503dfbc71566681425094ca56887fc1afe85b9bc9788341312bf
Formbook
e14df53adff2889344d4502133a00a389e06039715c26a7724ed3f046fc683a1
Formbook
f2a5c2addef1471e98841eb5f2abbc5cd27c360f8850a69ef0a233d07744a9b8
Formbook
+ 11'288 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:fa83 rat spyware stealer trojan
Link:
https://tria.ge/reports/211116-mdncjadca8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nshocam.com/fa83/
Unpacked files
SH256 hash:
180b50344d1b6b506d9832816f7a88ec8a04afe44cc114c1aff99bffe3868bf8
MD5 hash:
85425e1cd507aaf0dd799778f8fe432d
SHA1 hash:
1a26201e8f44fa3efa8b4e78b843445f40616447
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2c76b954-0cfd-4c5e-b575-ffb575541ef4/
Parent samples :
a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea
84c2b9e7449d2cf1ec1d43b13a9163e6fe355e3f8d301b34b7930d24f916725a
f1767a23201e1d5d234ead79f84de4a76f789aaa83f920b8cf4e0783f125d17c
ed2f68ce6d715976cfad3c41991685f1a190713626aea55c454da90682aa7ccb
6876e8698f67c2b477c89b891199d3485051a14f52284f39e35a8e8057f53fae
fd7d542aa6e922020e6fb15fc151be03a967ca01b09c75cd267302b873f1a79c
1409ef2f3a8f71bcac7c0e335380f5a804535dba5dca598429298a53aaec9e04
039cb9fe74c15a9ef07f795f41f1a05bf2adad49566c866f94befed5815503e4
54562896613b429de9564f501b6d277537a57dc5d0a9bbaa5260e3ffc055a543
84f01d9761a5e76774cac6a3a21c50e3b653f725276d32ea3a10d7ec00e14c99
4ae2cc851969d2bf66879df62acb3860edf32e3224b3a81460fc84ca476cf8e4
a5ad2e2a940e084ddec9db413a6c44a30b6029c8cf2bafb1320d67b1c60280e3
3a536da54a1cdf554d1fe3301c4a7936f889a7c86e166cb081429450e97cd4f6
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/2c76b954-0cfd-4c5e-b575-ffb575541ef4/
SH256 hash:
f6bbe5fe6c484fc4c2483f79aa0958d8f06b9781461db29131b5e1eaf4f929f4
MD5 hash:
82981a621d8385f3f673d693763dac4d
SHA1 hash:
74bd5f0b6c72974161396b116525552f65888b33
Link:
https://www.unpac.me/results/2c76b954-0cfd-4c5e-b575-ffb575541ef4/
SH256 hash:
a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea
MD5 hash:
8c5350abb9e91109f0801109653bdaed
SHA1 hash:
e8526b0fecfe9b71797d43fb08b85515e03fc037
Link:
https://www.unpac.me/results/2c76b954-0cfd-4c5e-b575-ffb575541ef4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a75c86c3baab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe a75c86c3baabf9dea3dd33fde9e53eb91608ba0466d947ac6f9506de45d099ea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1793076/
Cape
Cape
https://www.capesandbox.com/analysis/206297/

Comments


Avatar
zbet commented on 2021-11-16 10:21:05 UTC

url : hxxp://samsung-tv.tk/famzx.exe