MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a76ab3f6348514a539866d7c10def9e37f83daaf7e4678177f5cfb4ab1d4c120. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a76ab3f6348514a539866d7c10def9e37f83daaf7e4678177f5cfb4ab1d4c120
SHA3-384 hash: dcaf267e3c870c1387abe9c282c89017c00383f5142f01403c1423723c4caa2d1592ba99936920e7383d390c440ed6df
SHA1 hash: 5cce05cc220e9141324d5a89f3ded78b564d3046
MD5 hash: 81132085c7ac12d1f4ef271725f124f6
humanhash: mexico-lion-thirteen-black
File name:81132085c7ac12d1f4ef271725f124f6
Download: download sample
Signature Formbook
Create hunting rule
File size:564'736 bytes
First seen:2020-11-17 11:54:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:4Kf9ojc7FRWwDFSs5Og4HzABGTvApOrz/6TXSdVW1DcpLvkIihWBvf3x+nsB:jbRWwpSsMBHkBGjApOoXSPqugj8
TLSH 22C44B723BDE5C6DCB5A01B5056A80C0B9B317C73FB78A0DA09A430CCE31A5ADB5ED56
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a76ab3f6348514a539866d7c10def9e37f83daaf7e4678177f5cfb4ab1d4c120/
Threat name:
ByteCode-MSIL.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 05:55:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5vlh5ruqukkkomgnv6bbxxz4n7yhwvppzdhqf37lt5uvmouyeqa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook agilenet rat spyware stealer trojan
Link:
https://tria.ge/reports/201117-chdkj65fqs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ir4e.com/xbt/
Unpacked files
SH256 hash:
a76ab3f6348514a539866d7c10def9e37f83daaf7e4678177f5cfb4ab1d4c120
MD5 hash:
81132085c7ac12d1f4ef271725f124f6
SHA1 hash:
5cce05cc220e9141324d5a89f3ded78b564d3046
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
SH256 hash:
438c791ebd524dfde7d7cbc61746ab6f80853f95eecb274045424b329c7b6896
MD5 hash:
d6822520989a6c152f6e109cc0acc52d
SHA1 hash:
4872a8f5f3a652e5b19d606f459f49023217c355
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
SH256 hash:
b2daba8bd9bd8180b3a3f99be8b5c5341cf5393d09c3975eaf8cc25fd6c004fe
MD5 hash:
157dbc7d2a3ff1c46eeddea60af1a3b4
SHA1 hash:
4c501dec940f11fb180224faceff33617f5b98f4
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
e487a70777784d79a27aabd67e236c7bacddcdeb1a10124ebb3b557d93808bea
MD5 hash:
5952b130c212e37df8073866c8093957
SHA1 hash:
060530e1830c9350b4612f7abd3ecbc9a75e9e9a
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
SH256 hash:
b6ca86060e20797142277dcd188e9250180a21ed032c25267c292563a6433de5
MD5 hash:
d815f92a5761d463d75ad52af6be40bf
SHA1 hash:
0be3a832d2af5230ce73978c374b6bfb9068de5a
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
SH256 hash:
7519e8bba5fd7a2516d9887fc5804594aeb55fcdc8a83a9f3c5a1fb9c14a23d3
MD5 hash:
de2dd76c672d2118d9182f4a504794f6
SHA1 hash:
2d045ed20e0308d351ff6c61e868cd30a3e75c30
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
Parent samples :
d97aa63a43e409e490adc5b21a08313841565a76215278c37bcb411828a0a822
a76ab3f6348514a539866d7c10def9e37f83daaf7e4678177f5cfb4ab1d4c120
d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
SH256 hash:
d2f49ac4dbcdbc5e79d894a4625bc97d73a08a81734128d1851fc071e071ed99
MD5 hash:
d38d781dc71b2cecf0fa5a08fc2ebafa
SHA1 hash:
e7517b33b2f769dc7b434e38bc67ba2e8fcf3baa
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/1f7c5a6d-78da-4397-aa8c-aa2cd8375033/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments