MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d
SHA3-384 hash: 9e97fa3a98b2751bcdef3d17aac8e90d6643616ae1f221243cad1cb9c0ad08b6ddf4fc77df69adbcb6f4c9e31f9a276d
SHA1 hash: a7760310779ca8432721a4173a6813f5e4e84ce7
MD5 hash: 45fff6793efcdaa0257038d24d8de1d5
humanhash: jig-echo-seventeen-happy
File name:45fff6793efcdaa0257038d24d8de1d5
Download: download sample
Signature Formbook
Create hunting rule
File size:1'168'384 bytes
First seen:2022-02-28 10:30:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:KqJWZ40FHlW7i8rl2z5OK9JH6q2XbD5SQ:K+0hlTo2zDrmXb0
Threatray 14'181 similar samples on MalwareBazaar
TLSH T190459D543B66E0CDE1639DBE9DC4ACF09BE4EC261E0EB1A620933F0A4679D93CD51271
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://103.149.13.56/space360/.svchost.exe
Verdict:
No threats detected
Analysis date:
2022-02-28 12:25:44 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/3d902422-7a3d-4850-b36e-64a25ff31375

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245279/
Detection(s):
SecuriteInfo.com.AgentTesla-FDHR45FFF6793EFC.9526.11600.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/621ca469b94fb38cb423712d/reports/c372887f-088c-4160-ac77-ccb380999cf3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b35d38f5-29fd-44be-9bea-68246683455c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/947301
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 579778 Sample: 44oteyRiFU Startdate: 28/02/2022 Architecture: WINDOWS Score: 100 31 www.jili2010.com 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 6 other signatures 2->39 11 44oteyRiFU.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\44oteyRiFU.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 44oteyRiFU.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 colorcpl.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 1 154 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-28 10:31:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01880a4afa8656841bb250a9a51b006f4137ffeeb3d9433af82569b597e5ea4a
Formbook
3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6
Formbook
64bc60e87a87c9e85bd38a31000752b4d4c960a31ca8796ab2187ac1e34c068d
Formbook
6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e
Formbook
6ed4597153654e9526d066d62bbf7cc0e7d7e0660049f9e3b826475d3fa71abe
Formbook
945f67ae677681e14db036f753f47333556fea6f3837bef7399e440e6bc167d5
Formbook
bcb97b3cbfe72dac8416a224ddb03a17ccba79da52872c6f5fcb13b93b43a247
Formbook
ff3e94ded64b43f620ba549db99baa31abdd763209b60f7c9fc884b82cfac6d3
Formbook
+ 14'171 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:w26e rat spyware stealer trojan
Link:
https://tria.ge/reports/220228-mkdfxaeab2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/7b97d22b-7adc-4840-be8f-ec5d71f52df3/
SH256 hash:
dc24413581b3572cc5e6daa7d4f792d360eecd0aeb500c33f3dd44d8b3ca48b8
MD5 hash:
a0cb1a7b9491deeb06ce3b1676b5a2bd
SHA1 hash:
a32111445893e3688c751311faf4b8fe916e6238
Link:
https://www.unpac.me/results/7b97d22b-7adc-4840-be8f-ec5d71f52df3/
SH256 hash:
c042040ffab301941c8971a2796a040ea6c85149f0d79d4e0dc64832ea597603
MD5 hash:
cb16545e47dffddb937c8b41f3b3574a
SHA1 hash:
b39687583a4da4d523d74afda40319ce11896ae1
Link:
https://www.unpac.me/results/7b97d22b-7adc-4840-be8f-ec5d71f52df3/
SH256 hash:
f6acc7a3be7cd6ce48cb46b5eedc3ee00322f3b6b4b602751420e9f6fd13a77a
MD5 hash:
981369f1ffdbccbfc64768cb39c9c305
SHA1 hash:
b53ccfbbbf0a49fc81685b8204d7d9334031566d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7b97d22b-7adc-4840-be8f-ec5d71f52df3/
Parent samples :
b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d
a6525de47e9c194acea3d0048b4633a9bb0f0bab0bfe2eb5e1ec3aa126909e32
1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f
9621e6459dc138fb11bc279b6583fc68eed0db7b284e198c74dda8385db8ce0d
2c81b04d9509cf29e05309b84972fa9bf47b34bdf64032ade464fcc55a54a1b8
e4d0ebfd2e92b3848aa302ff71782e2bb7b55b1340f340c89e263e9d1a2a6987
SH256 hash:
b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d
MD5 hash:
45fff6793efcdaa0257038d24d8de1d5
SHA1 hash:
a7760310779ca8432721a4173a6813f5e4e84ce7
Link:
https://www.unpac.me/results/7b97d22b-7adc-4840-be8f-ec5d71f52df3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b0b6191866c8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2066125/
Cape
Cape
https://www.capesandbox.com/analysis/245279/

Comments


Avatar
zbet commented on 2022-02-28 10:30:49 UTC

url : hxxp://103.149.13.56/space360/.svchost.exe