MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e
SHA3-384 hash:	e219c98a0cdb43246cd705bb28d96f0b1404564d82364f6e86be3e5378960b0fc43eaa65e1b01ca55c50de3baea92963
SHA1 hash:	d4575c2ea9fc7bc24ca086f403d132b70167cc49
MD5 hash:	0c7194673ca5c213b88c8696d285d205
humanhash:	carolina-skylark-low-seven
File name:	SecuriteInfo.com.Trojan.Olock.1.19122.10072
Download:	download sample
Signature	Formbook Create hunting rule
File size:	461'312 bytes
First seen:	2022-07-19 15:47:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:hlUmsLWMyOStzMCijN5Pu1SMsccqkQ0y:hISfijL0cl/
Threatray	15'288 similar samples on MalwareBazaar
TLSH	T1AFA4223B276CC963CAF96BB12621E70197F1114AA562FB083EC639ED8553F800D16B57
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	44e288ae8ace7898 (3 x Formbook, 3 x SnakeKeylogger, 2 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/291925/

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.19122.10072.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d6d2aeee649612ac5b6f31/reports/fb5417e0-7ac9-4bac-8d49-cd95dc89241e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3fc6bd03-0816-4517-97d4-dbaf21afd877

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1036641

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected FormBook

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e/

Threat name:

Win32.Trojan.GenericML

Status:

Malicious

First seen:

2022-07-19 14:39:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=weytxdeneslsrnp6s5ldgkuyyfavi2g7l5yad4wb4tbgqjxnxa7a._file

Verdict:

malicious

Label(s):

formbook

Formbook

0e4db1ff40da83dd1ec6e134dfd86864f24df29bbc9065158e395cbd63436493

Formbook

11649edf97c44a364aa23ec2d01a39ed40efe81f025120a621b36c696620b441

Formbook

262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09

Formbook

3ae816aae6ee27d43528398f0dabe972e188c6b005e29a6288ef15c74678ef5c

Formbook

78fdca14f99e25685ccef65e154f5c747430a955c399adb72d32cd0e364a4780

Formbook

b3f0437b2d889647d5ea1a468eff45586ff3932afd4131f235e0ce7cd5864a1e

Formbook

c2c5930d4e3db44fe52126af7f02cceac19a620633a173a68962f3de642e61ec

Formbook

c3b780e1a34896abf6217364f6616a1f45c78b3723ba4f4ad35b57c9ce1ad7cc

Formbook

e6507a30dc00cd8ec7b0b945c3549bcb313352e6443560394d136cb59486598e

Formbook

+ 15'278 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:t19g rat spyware stealer trojan

Link:

https://tria.ge/reports/220719-s8rlbsfhhj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Formbook payload

Formbook

Unpacked files

SH256 hash:

22abd8cd411559d6c2d6665d82495f9955656f03a9cccd1f17b42fb9c25e8a97

MD5 hash:

6a48a2225ff2075094b5faebe11e7df4

SHA1 hash:

09d61dd5729fb37b61dc91de43999d4d1c5ab302

Detections:

win_formbook_g0

win_formbook_auto

FormBook

Link:

https://www.unpac.me/results/2d6ae414-8ffa-4d95-aba1-1217c7c6c09c/

Parent samples :

d4d430cfe4399aa57154854567d17ef118b6d0eee083b683f81957d2057949b0
262fb779ec6fd7c58573c11480f2293f7680b38d3b62eb9acea9d228ed0a2f09
4b8c3b49cc5ceaea396ffc0444d625d7cc3c231b973f2775a23ab3cafece504d
b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e
a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/2d6ae414-8ffa-4d95-aba1-1217c7c6c09c/

SH256 hash:

edb893fd1a6a04502b8ca449aa7c8cb93418ce7344efd39bb202b11bdf97faea

MD5 hash:

2844a5b974dc8d1fe79f3855dbc4d20f

SHA1 hash:

9f636ec020f79e649d451a769590c47ace4a02b5

Link:

https://www.unpac.me/results/2d6ae414-8ffa-4d95-aba1-1217c7c6c09c/

SH256 hash:

b9ebc9575de5ea594007f2c931243d2dbe9bddf6cb1577056dc8adbc2fc9ce99

MD5 hash:

0f970f07bbdaf8a4c25c72b2e1ecedcd

SHA1 hash:

9b13a7770f00f8111ed39cbe4f57a9eec534d9e3

Link:

https://www.unpac.me/results/2d6ae414-8ffa-4d95-aba1-1217c7c6c09c/

SH256 hash:

f6d1cda2efe2622064025631b2a1ee8e5bdc057798de203ed5841916e662b4a1

MD5 hash:

fb7cc194309b03e66b160fe20f371762

SHA1 hash:

7b6fe95b9b6af1328d43ef9fff27919d807b9c47

Link:

https://www.unpac.me/results/2d6ae414-8ffa-4d95-aba1-1217c7c6c09c/

SH256 hash:

b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e

MD5 hash:

0c7194673ca5c213b88c8696d285d205

SHA1 hash:

d4575c2ea9fc7bc24ca086f403d132b70167cc49

Link:

https://www.unpac.me/results/2d6ae414-8ffa-4d95-aba1-1217c7c6c09c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1313b8c8d249728b5fe9756332a98c1415468df5f7001f2c1e4c26826edb83e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/291925/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample