MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
SHA3-384 hash: 64cd6d2008516ac60fa7d7de3cc47d1740618ca5dc87a760f1f076e52f1276193c565258fe74a5ab49571e7e7261de92
SHA1 hash: 56b70efe3e858afb7cb12829111af26ffa832e4e
MD5 hash: 3043dcba05f16b5a767555973278d5f9
humanhash: bravo-xray-spaghetti-six
File name:PO-230102.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:771'072 bytes
First seen:2023-04-06 13:06:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DE92iNVxFI2lm5Nswku3ocqyQUY/io71NqM1guypiPHr3ZIDfGwKxwsRMVD:I1zIcmIvuat1RWM2uypiPHDDl
Threatray 3'196 similar samples on MalwareBazaar
TLSH T19BF47C520C6642D5C8BA0FA454783A481B79AC938FD4903E7D82797FCFF9B4B50993E2
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO-230102.exe
Verdict:
Malicious activity
Analysis date:
2023-04-06 13:07:08 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/05b55bac-52da-46bb-a34f-7404141478ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/380658/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/642ec3bfda5bf6666c9ce3a0/reports/54ec50e0-de64-40cd-952a-7cecf2125c0d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ccab1ecc-516f-4758-8879-b02635363511
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209698
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842614 Sample: PO-230102.exe Startdate: 06/04/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 6 other signatures 2->44 10 PO-230102.exe 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\PO-230102.exe.log, ASCII 10->30 dropped 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 PO-230102.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 1 1 14->17 injected process8 dnsIp9 32 www.01-buy.com 154.80.192.233, 49697, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 17->32 34 hubei.qrdns.cn 154.85.52.218, 49696, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Seychelles 17->34 36 9 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 48 Uses netsh to modify the Windows network and firewall settings 17->48 21 netsh.exe 17->21         started        24 autochk.exe 17->24         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 19:50:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkcnaa5t7zu5w6zjhkpmrueasuxwdeacno6sr4xavmrcommxucaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08c1559e163d8289bc2dacb9eaca914058628b31f2d4bc88f52e4491ede7bb55
Formbook
2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
Formbook
59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4
Formbook
73ebb7a09698155fa4a55057e36c5ffda58b30940670955cb7e2ecff5a348b15
Formbook
7e1f215877d458883e98c874ce1226b561f0ddd5114dad6baef44d66d33a98a6
Formbook
860942d3b0190341282f2ae2d76d65f0374698fc48852aeda79966130bd68216
Formbook
95eea6606746af642726f423f651e78b52dc8652033b9ca6439a95248df0fde2
Formbook
d346f44b099d0aa4226f6a6340e660e003d5293ee68c4d4fe38b301754c271fb
Formbook
f3b8435e7359411cefb4d6c762550f4881195a2ec0cb035da5737c4b4891fb6f
Formbook
f51bdb3c0026435904048abffb411be8b57143de59d0e66a3e2dfa3f2e5692ad
Formbook
+ 3'186 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:c29i rat spyware stealer trojan
Link:
https://tria.ge/reports/230406-qb3afsdb74/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
257fc20e7d669ad99b02171c3ad8e283c15a03f37353b86dfc9ce7f97a2e83f4
MD5 hash:
5ec006776d581c467571140ae88a8fc5
SHA1 hash:
79146bdccbcdd91c70ebab114e202ee8b611c2b9
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b8e8d07-a03d-40de-a184-12eae7d6e870/
Parent samples :
2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
0bf1ad7e3d5f2bdd589d32f36db80fe2862a8b3412c7cfcdef4f839c9339d6af
bd407e66453e00d96368122b1d8761c995aa3a9606995dbd46ec1629debb18ed
SH256 hash:
df7603075d3e00a2182a59d0cd6df881b37575f8baf165fc5353519f58ae4fb4
MD5 hash:
601dc6561d9d3d73f11332d67e9416f1
SHA1 hash:
fd743622ac5c55d2e61a9daeada82e624cf87c42
Link:
https://www.unpac.me/results/4b8e8d07-a03d-40de-a184-12eae7d6e870/
SH256 hash:
78263b569d4f9ed2016bd9c29718f62e55413cd4ca0106295c0443fafdc085d5
MD5 hash:
aef59f95e1a844e2551c8f3b4ef5a3b8
SHA1 hash:
d93e7ad3d586dfdee6b1c99db9237760671dd928
Link:
https://www.unpac.me/results/4b8e8d07-a03d-40de-a184-12eae7d6e870/
SH256 hash:
3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa
MD5 hash:
e79bf0e7e9d52d398e0b23b352394c68
SHA1 hash:
682325763a0ec77e0fd475ea3a4021b4651eceac
Link:
https://www.unpac.me/results/4b8e8d07-a03d-40de-a184-12eae7d6e870/
SH256 hash:
e4a4c32e074b4d30dd727295088bafba31d22158ce483526a333c4cd5502f2bb
MD5 hash:
58ae530ad934254f32edf67f2dfdfa81
SHA1 hash:
416abf5adcffd45f15bea8d71b355c5532eb5777
Link:
https://www.unpac.me/results/4b8e8d07-a03d-40de-a184-12eae7d6e870/
SH256 hash:
b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080
MD5 hash:
3043dcba05f16b5a767555973278d5f9
SHA1 hash:
56b70efe3e858afb7cb12829111af26ffa832e4e
Link:
https://www.unpac.me/results/4b8e8d07-a03d-40de-a184-12eae7d6e870/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b284d003b3fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b284d003b3fe69db7b293a9ec8d080952f6190026bbd28f2e0ab22273197a080

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/380658/

Comments