MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9496e79f16e95df9b4cb8a19053cfdb6b776e1c9f3c56760a07360b83f93d74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a9496e79f16e95df9b4cb8a19053cfdb6b776e1c9f3c56760a07360b83f93d74
SHA3-384 hash:	762b9ca1fe40fd4859808161d09d985f91bb556fa4e4b3225bf4d3c5322aa7d9b152280f1213c3fd7abd5769d36df0c7
SHA1 hash:	8a68b76e8bef4ba007fab387381d8a5d9ffd1f07
MD5 hash:	11d5a2a76f171d31bd9ad3c396f39e15
humanhash:	carpet-bluebird-victor-alaska
File name:	bin.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	185'856 bytes
First seen:	2020-12-03 10:07:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:TaYoipZ8woVWVLmpMLfEIvHJ6aShYISxsGP/2HoED/gsj:eY7oCUMTBp6aSm8Ho1
Threatray	3'093 similar samples on MalwareBazaar
TLSH	AD04BF32D652C031E2B241B5F67D0B7B893E0E34729494E6E3E115E16FA49E9F02A31F
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/106574/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Win.Malware.Formbook-7399661-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554519

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a9496e79f16e95df9b4cb8a19053cfdb6b776e1c9f3c56760a07360b83f93d74/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2020-12-03 10:08:08 UTC

File Type:

PE (Exe)

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfew46prn2k57g2mxcqzau6p3nvxo3q4t46fm5qka43axa7zhv2a._file

Verdict:

malicious

Label(s):

formbook

netwirerc

Formbook

30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75

Formbook

3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33

Formbook

37fa0d1153831bdf8c08560d18a83afc2ccede848883819536eb81497c63229f

Formbook

46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3

Formbook

5007dc70fdff0e6a544f49c91da3ce378772cb397cdbb0bb3af33f4acb714add

Formbook

5c0c2689256894521ac0012bc464ad7e0d93c25c60b9df3dfe26b35d85d1713a

Formbook

63d643f5f17f5e621ef22e4c05a5d92c519376d0043c0958284d34ae206c0161

Formbook

89bf15eae14f60d6acc308cead31f09459947626b9839bbbddbf76f00821fe3b

Formbook

de4679b52c5e51db87ae9671ec2b25364dd62641377bfbfd6d5cf67e7741598c

Formbook

+ 3'083 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201203-172ltalfzx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.daughter4hire.com/gwg/

Unpacked files

SH256 hash:

a9496e79f16e95df9b4cb8a19053cfdb6b776e1c9f3c56760a07360b83f93d74

MD5 hash:

11d5a2a76f171d31bd9ad3c396f39e15

SHA1 hash:

8a68b76e8bef4ba007fab387381d8a5d9ffd1f07

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/e30b811a-9ae9-451a-b1cc-0d050067b7b0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9496e79f16e95df9b4cb8a19053cfdb6b776e1c9f3c56760a07360b83f93d74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator