MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d
SHA3-384 hash: 413b5ee5826b8329504ea32386ff9c313052a07b5f20bcd8e510a6ea00ac170cb7f6156ed8402e3a19602d10a207254d
SHA1 hash: 8c9831b837374d718e24d35ec7e93f642a2b74ba
MD5 hash: d403ceb699085cfd12ada96aa419a37b
humanhash: rugby-alpha-xray-oranges
File name:PRODUCT LIST.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:606'720 bytes
First seen:2021-11-11 09:19:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9NkLt1ac75ZalBvZ6sOEBb0OAZcELFacWHi+MnMVuL0477oaXnz61QIb:0tkCalCsOw0OACELwTC+TY0gz
Threatray 11'133 similar samples on MalwareBazaar
TLSH T1FDD40188B485C165EC650BB9895649E54333BD7AEE10FB6F3AC4F35E2B333D28426613
File icon (PE):PE icon
dhash icon 90ba7181e46588f0 (31 x AgentTesla, 11 x Formbook, 9 x Loki)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204937/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.38803.18475.14121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated packed
Link:
https://www.filescan.io/uploads/618ce045dec3347825a1e4e3/reports/637c8821-24fc-40a7-b191-75d69a837d70/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b1ccd8c-092f-4ceb-ad47-5ed2624f4c78
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887354
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 519827 Sample: PRODUCT LIST.exe Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 10 PRODUCT LIST.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\PRODUCT LIST.exe.log, ASCII 10->27 dropped 13 PRODUCT LIST.exe 10->13         started        process5 signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.aprilsaak.quest 37.123.118.150, 49853, 80 UK2NET-ASGB United Kingdom 16->29 31 360metaverse.biz 15.197.142.173, 49826, 80 TANDEMUS United States 16->31 33 3 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Uses ipconfig to lookup or modify the Windows network settings 16->37 20 ipconfig.exe 16->20         started        signatures9 process10 signatures11 47 Self deletion via cmd delete 20->47 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 07:36:34 UTC
AV detection:
12 of 41 (29.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqbbxpqvlnkkze55lssaw3fgcmaxjvwrsldp2iar5ftx2vwat5gq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ee20ec28c5649c69a2cab43e7f7e99d9f6c839cc5ae5ed2e279281682fe3b53
Formbook
24020c0cae5f243c30eaee1fa84e2bf8899f1acb80a16491b7dce179d1ffe6a4
Formbook
2c74b3cf30c4c89fcd341129917f850be3faf7f7f91646545e7d65106a30dfb0
Formbook
2eec14d00309c58144cc8234ebc9c5c4c9d81a3511f45830e50a3929fe2b158a
Formbook
c6043c3c87526712c251385dacc61e443647d1dcca1e86ce411e69cb711c4640
Formbook
c781169f80930851f2174df529d1aaba061c45fd7ef90c5059a7c513bfda3414
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
e83ce530468ceacafc364791ce8de4cdc2b456cb0df25b93ac4055a99b031702
Formbook
fcb7e25d33700d8f04ab05d2fc0cba77dc5ccf6a32b93abc3511dcfb608dbc9e
Formbook
+ 11'123 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r4gk rat spyware stealer trojan
Link:
https://tria.ge/reports/211111-lar1wabac9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.aprilsaak.quest/r4gk/
Unpacked files
SH256 hash:
c61f6a0fd94660d9cc012788f67e089482e2b9743b00fa2c19dca96abfe833f6
MD5 hash:
8bb6b6d0be4eba9ea6eac2d16dc37860
SHA1 hash:
34e95e9a52e8252c6ef2d2d174834673afc3d0f7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/df183799-b798-4537-86bf-c4ce5cf39871/
Parent samples :
e827c29f504045d8e6d8a2eb622a571f83e1bf9afaa8f1b839af76f457b45135
fc9165f2702032e355b392fe6ada38cfd6e1eceafb5453de7991369addd266a6
fcb7e25d33700d8f04ab05d2fc0cba77dc5ccf6a32b93abc3511dcfb608dbc9e
7ba579db4b2485e75dbeff653199f592e4067706225975038ad011b73562c3fb
1910bc92f591b3feb607aac1518fe2cc6c834b627b76637cb27464006e072a22
6e8be6a1ec2b4c1ec33860b33f09b0e239db6d5453a5713a2aa31e822a8b50b2
9611957db07f36a13d7e43f5c32c08c0e3c44c689e7d88c832490e3d259cfb48
93570be59d8c3f3608ffe0b137503c6555e6f40514af2c22989fe61a2394ecd5
b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf
faf70cbc3094ec594a823dd4516fa6cc662e908b36bdec13c61a7b10c85072fa
ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d
SH256 hash:
bd4c4912209802bb457983177d94b220d20dc9775ff973f90bd1c6afd729bc9c
MD5 hash:
8cde05c2cc918a68b075bdb2854c9994
SHA1 hash:
bc3c4e2826370171102ee8b7bd317493cd72c15f
Link:
https://www.unpac.me/results/df183799-b798-4537-86bf-c4ce5cf39871/
SH256 hash:
2a541cbfcf414d17f1f4aedc56fdca4aece89afca973c013751b4c009b15fe05
MD5 hash:
eb7697625f094e84341cdad5661db066
SHA1 hash:
2e03053131c0535631a8d1b3bed6620f32c69472
Link:
https://www.unpac.me/results/df183799-b798-4537-86bf-c4ce5cf39871/
SH256 hash:
ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d
MD5 hash:
d403ceb699085cfd12ada96aa419a37b
SHA1 hash:
8c9831b837374d718e24d35ec7e93f642a2b74ba
Link:
https://www.unpac.me/results/df183799-b798-4537-86bf-c4ce5cf39871/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ac021bbe155b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/204937/

Comments