MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab
SHA3-384 hash: e75b12d66c60b7ff55967a30e6e7fb0ad3a92ebefae03453705d91ff5e60c554daed5fcd992b977c49dc73f2a44a1641
SHA1 hash: c570f502747db7c118853dbf0fb41bcc64940610
MD5 hash: d175eae34796a5140bb0fe5f88dfecca
humanhash: aspen-nevada-bulldog-autumn
File name:d175eae34796a5140bb0fe5f88dfecca.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:558'592 bytes
First seen:2022-04-22 09:13:12 UTC
Last seen:2022-04-22 09:48:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:yz5pDox18ielotI/D1h+B0y6bGI4v9gAlHQf3x0T9FOlqNB:yFxoxCrlz1YB76bS2AlHA3K7Oy
Threatray 15'995 similar samples on MalwareBazaar
TLSH T13DC4225F2AAC6F32C4FD57F4AAA08194537CD41DF912E7588CC112CA29F3B449A72B87
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/265682/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1298.18853.18827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed pos
Link:
https://www.filescan.io/uploads/62627b1af9ec17cfbab75dca/reports/35971350-398a-4703-8c6f-012c0ff019b3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afd9fec6-3bcb-4568-ac1d-436c90f7cfa8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981230
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 613715 Sample: 0fLYpmrJVx.exe Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 43 www.slhomeservices.com 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 11 0fLYpmrJVx.exe 7 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\ywPmkq.exe, PE32 11->35 dropped 37 C:\Users\user\...\ywPmkq.exe:Zone.Identifier, ASCII 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmpFA54.tmp, XML 11->39 dropped 41 C:\Users\user\AppData\...\0fLYpmrJVx.exe.log, ASCII 11->41 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 11->53 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 59 2 other signatures 11->59 15 RegSvcs.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 2 other signatures 15->73 22 explorer.exe 15->22 injected 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        process9 process10 28 msdt.exe 22->28         started        signatures11 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 31 cmd.exe 1 28->31         started        process12 process13 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 15:17:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wskzldohjtzeyvdc4uvjvhyamzhqbtqprnzmhl6frolveka7dgvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d9c52f0726c9514e0051e033ec7259daa42d1876503aa79f6ec37c5de41f2be
Formbook
2af61f931dc2506cad5886bd31c8d30a5964ac35ad143ffe25c23e862c46855c
Formbook
6556bd37ac00c8f0572f458828376e56469268fb5e1e38a60569148f54123612
Formbook
d2920f24362916812453b6d19427ad8cb8f127ebd07f993d30d26f2ed602be9e
Formbook
e467de436bdab4d5135f3e96abe24eb7b912e9b8024dc020b39c0e5df4745304
Formbook
e93e184bdd79942741080f43ec59940240a63961ae3c0e4eb0c63bf2886254d8
Formbook
ffb2ebccfae79f8c1d5911d41e549a8f876a10708053a4f3a3dbc2ec0e04be48
Formbook
+ 15'985 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s4s9 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220422-k7bjqagbgm/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
6faafec0585fc01da1d3abf56c2ad00e1525969bb783b9a1c0190e3068d906a8
MD5 hash:
90c6c4266945ad230ac6dd9e1ea6b56b
SHA1 hash:
7897c400fb6dfc9012df5edcd4187655fdfe0658
Link:
https://www.unpac.me/results/5bbe6d1f-7c37-496a-a068-425e6120a294/
SH256 hash:
ef058d0a23b36683b62d8331a6c43c2356bede56fdbe3587ba5b6889f344a67e
MD5 hash:
b41d180b984cffb701dc35d732f53494
SHA1 hash:
86a8c95cfabccfb57ca2e4520122d165776dee20
Link:
https://www.unpac.me/results/5bbe6d1f-7c37-496a-a068-425e6120a294/
SH256 hash:
0fe9f096ec51dcea360a1be040d27ae46756685d072c98c0df0bbc1b91920069
MD5 hash:
a9ea521c21382ca3ea9616d884848d8c
SHA1 hash:
8738d75ee62e61897ee5119a209b9f8ab5037bd0
Link:
https://www.unpac.me/results/5bbe6d1f-7c37-496a-a068-425e6120a294/
SH256 hash:
5d6151c285d473e8648d4a06ac29ef6a0267a124cf586b483d4c897c8a99b11d
MD5 hash:
746b4d06c36ac62b133dac83ffa9a538
SHA1 hash:
ed219881ccb01f440abc4f60bfcf212de308facb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5bbe6d1f-7c37-496a-a068-425e6120a294/
Parent samples :
90c16547e527be04c7fbea515f8dcea9f00353bf4394ecd45f891ab07085b575
b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab
56671398174edffacd229745a4943cee45c11e48ec43a768f1693db3524717e6
SH256 hash:
b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab
MD5 hash:
d175eae34796a5140bb0fe5f88dfecca
SHA1 hash:
c570f502747db7c118853dbf0fb41bcc64940610
Link:
https://www.unpac.me/results/5bbe6d1f-7c37-496a-a068-425e6120a294/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b495958dc74c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe b495958dc74cf24c5462e52a9a9f00664f00ce0f8b72c3afc58b9752281f19ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2158614/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/265682/

Comments