MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
SHA3-384 hash: e21889874beb813c6e6d8c1d6ee4f08dfe75192fbc22a7f0bb12a3c084d5ea7669ab5d7dcc68a7635259bfb5446abf5b
SHA1 hash: 15d023fd6d344cb18243469a3ee01fea6bb189af
MD5 hash: 41137fd61b9cc0d92225c91660a5902c
humanhash: iowa-solar-maine-double
File name:New_1007572_021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:455'168 bytes
First seen:2021-08-03 17:35:37 UTC
Last seen:2021-08-03 19:17:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bHOWiWyFfGU94mxuYfv/PT9WK+dG7VWfQTB:bHQ4mF7ZBMfwB
Threatray 7'405 similar samples on MalwareBazaar
TLSH T1C1A4126A300BE25BF6D55939E9C9D138C29D4C81381DB90828F57D27F17BC996B80ECB
dhash icon 89888abc8c8aa889 (2 x RedLineStealer, 1 x Formbook, 1 x SnakeKeylogger)
Reporter info_sec_ca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New_1007572_021.exe
Verdict:
Malicious activity
Analysis date:
2021-08-03 17:39:32 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/d779fda2-b805-48d9-aacf-ed2c46490568

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176140/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.52736.6577.28443.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee4a4c22-077c-49d0-9df8-3f1376041ced
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826421
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458848 Sample: New_1007572_021.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 11 New_1007572_021.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...40ew_1007572_021.exe, PE32 11->40 dropped 42 C:\...42ew_1007572_021.exe:Zone.Identifier, ASCII 11->42 dropped 44 C:\Users\user\...44ew_1007572_021.exe.log, ASCII 11->44 dropped 72 Writes to foreign memory regions 11->72 74 Injects a PE file into a foreign processes 11->74 15 New_1007572_021.exe 1 5 11->15         started        signatures5 process6 dnsIp7 48 192.168.2.1 unknown unknown 15->48 36 C:\Users\user\AppData\...\FB_5E87.tmp.exe, PE32 15->36 dropped 38 C:\Users\user\AppData\...\FB_5908.tmp.exe, PE32 15->38 dropped 50 Multi AV Scanner detection for dropped file 15->50 52 Machine Learning detection for dropped file 15->52 20 FB_5E87.tmp.exe 15->20         started        23 FB_5908.tmp.exe 15->23         started        file8 signatures9 process10 signatures11 62 Antivirus detection for dropped file 20->62 64 Multi AV Scanner detection for dropped file 20->64 66 Machine Learning detection for dropped file 20->66 68 5 other signatures 20->68 25 explorer.exe 20->25 injected process12 dnsIp13 46 www.comfsresidential.com 185.53.178.50, 49760, 80 TEAMINTERNET-ASDE Germany 25->46 70 System process connects to network (likely due to code injection or exploit) 25->70 29 cscript.exe 25->29         started        signatures14 process15 signatures16 76 Modifies the context of a thread in another process (thread injection) 29->76 78 Maps a DLL or memory area into another process 29->78 80 Tries to detect virtualization through RDTSC time measurements 29->80 32 cmd.exe 1 29->32         started        process17 process18 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 04:27:30 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbbqn6ucepbaugv2vjvowxflwkud3qcdg67lflh5i54ewnfwqk6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0881127ba3ada84a8259b0e923fb8723a89016ae555bb59c44a9b372bba7daab
Formbook
2450d5f5fa69393262ee4d935acf867ff537ffaaa0a927823b748d5d77dd9fcc
Formbook
3da43dfd3613eeaf2ed56f10624f2dabdb80948c842c98fd0e26688fe55728a7
Formbook
4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543
Formbook
6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751
Formbook
7d0cc599bf46f1b454dc8a9c5abe86f6ba3c97032f153864513b98ccde3bc0cb
Formbook
c26154711ca9d9d48de370f242deb560bd0b99a0c8f12a2d1db5d4cd6e25d107
Formbook
c59f3d09668674cc602a759071c5972b8f78b2b829afd3fb8d5e6f9ecd820280
Formbook
caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08
Formbook
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
Formbook
+ 7'395 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210803-bxkkg9sw26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.domoexpra.club/cg53/
Unpacked files
SH256 hash:
fb401914ed48a2fdd1d91483962f99a31ffe7242874af2e703eece4ff6ad41d7
MD5 hash:
8f989259a7cfb110d5acd1fb63af4c33
SHA1 hash:
72cf6656f5d7de743588cac05cf144e3d94acc84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d6d2e997-549d-46a2-86df-14998fd34ff2/
Parent samples :
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
SH256 hash:
d568436df5c8acb34e4bb7fdd390a5db5167dabee57fc56de86b59e6df363d81
MD5 hash:
3c70f12c1d28d571c9850946c3df10c5
SHA1 hash:
fdefd739eb33d7d365a82fdb923ddc37ff1f8224
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d6d2e997-549d-46a2-86df-14998fd34ff2/
Parent samples :
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
SH256 hash:
63b727a8b44032ddac7388ba6e3bb501a77c3787149da5db76845c2600ef8c7f
MD5 hash:
2a562e00944c5ee4b23a4a94e2fe9cc8
SHA1 hash:
9c755402b11150529d13a3821ca04accf7291f57
Link:
https://www.unpac.me/results/d6d2e997-549d-46a2-86df-14998fd34ff2/
SH256 hash:
84e65cc12a5b9ed58aeccd00f3508f0d33768f6d577b4365ef843681a5881894
MD5 hash:
573ffcc02c49e55d44782f10ccacdfa9
SHA1 hash:
522ea9f1f50f0c1f1e12c143cdca648e40140675
Link:
https://www.unpac.me/results/d6d2e997-549d-46a2-86df-14998fd34ff2/
SH256 hash:
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
MD5 hash:
41137fd61b9cc0d92225c91660a5902c
SHA1 hash:
15d023fd6d344cb18243469a3ee01fea6bb189af
Link:
https://www.unpac.me/results/d6d2e997-549d-46a2-86df-14998fd34ff2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b04306fa8223/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/176140/
  
URLhaus
https://urlhaus.abuse.ch/url/1503067/
  
Delivery method
Distributed via web download

Comments