MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61a75bab2f47f346ccd0e0e58e748092b90ec271588c5aab7b9370d30c8eeda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b61a75bab2f47f346ccd0e0e58e748092b90ec271588c5aab7b9370d30c8eeda
SHA3-384 hash: c78924668030817072d47b564555dfaa30baa0d3fa57aeea45f9875bf15938ad876d5fa4d52e6e301daa7472f1d46f20
SHA1 hash: 7ac968473cbc9f10b7758b855c3cc21736f9842f
MD5 hash: b9b88afd1783e9ad39b787736e65172e
humanhash: jupiter-hotel-mango-wisconsin
File name:b9b88afd1783e9ad39b787736e65172e
Download: download sample
Signature Formbook
Create hunting rule
File size:278'528 bytes
First seen:2021-06-27 21:35:31 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:aEtTqjFAMYpy5kqXRdK35oNc8cs4N5hb15:aE9ZMYU5kqhMR8P4N5115
Threatray 6'055 similar samples on MalwareBazaar
TLSH 4D441221B4D1493FC95783B11D778779E372ED118A02AA079B903D6F5E31ACB8F097A2
Reporter zbetcheckin
Tags:FormBook msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168497/
Detection(s):
Win.Malware.Filerepmetagen-9874481-0
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b61a75bab2f47f346ccd0e0e58e748092b90ec271588c5aab7b9370d30c8eeda
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/808621
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441032 Sample: pqKloBYroN Startdate: 27/06/2021 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 4 other signatures 2->54 8 MSIB16B.tmp 20 2->8         started        12 explorer.exe 2->12         started        15 msiexec.exe 2 2->15         started        process3 dnsIp4 28 C:\Users\user\AppData\Local\Temp\qjfmjqz, DOS 8->28 dropped 30 C:\Users\user\AppData\Local\...\System.dll, PE32 8->30 dropped 56 Detected unpacking (changes PE section rights) 8->56 58 Maps a DLL or memory area into another process 8->58 60 DLL side loading technique detected 8->60 62 Tries to detect virtualization through RDTSC time measurements 8->62 17 MSIB16B.tmp 8->17         started        32 www.yange03.com 107.148.160.210, 80 ASLINE-AS-APASLINELIMITEDHK United States 12->32 34 www.buyersmeetsellers.net 12->34 36 3 other IPs or domains 12->36 64 System process connects to network (likely due to code injection or exploit) 12->64 20 WWAHost.exe 12->20         started        22 autoconv.exe 12->22         started        file5 signatures6 process7 signatures8 38 Modifies the context of a thread in another process (thread injection) 17->38 40 Maps a DLL or memory area into another process 17->40 42 Sample uses process hollowing technique 17->42 44 Queues an APC in another process (thread injection) 17->44 46 Tries to detect virtualization through RDTSC time measurements 20->46 24 cmd.exe 1 20->24         started        process9 process10 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b61a75bab2f47f346ccd0e0e58e748092b90ec271588c5aab7b9370d30c8eeda/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-26 08:42:56 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wynhlovs6r7ti3gnbyhfrz2ibevzb3bhcwemlkvxxe3q2mgi53na._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
Formbook
5bd30da7b2957d66a10056315368bcdc5dbc2e2b2245d8487011a173024ab84d
Formbook
73c58bd017026340507d10cc2b3237c6c32835dc69571e81df1a5905981b3d63
Formbook
92f656d44d38fbc5e7964e36634bf95d18e157228624d1b38ea933633579ddc4
Formbook
a3703cc485d2a99cfec122203ed2d7dd83274af8bd0b3bcfab3fd590dd5c308c
Formbook
b69927fbfd7eb038b59aa9b7e9f49cb02d127d48fcf6517e65a379e982e806bc
Formbook
b9ab38d8d68b40d3b4f800bf34dd1d2e4529f7a373d32477ebcd8087c7cf97d9
Formbook
e197309f79a43cdeccdc0b69344a36abc6c23fb8eef66063e4eb5cc443ee9d4d
Formbook
f4171526b06d5a9c867e81cd7d8a808fd0897209e18005fe83a969324321bacd
Formbook
f4738e611922161d38399f61ebe6c8332bbf3e54f1d23475c0bf0b476d05a1df
Formbook
+ 6'045 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook macro rat spyware stealer trojan xlm
Link:
https://tria.ge/reports/210627-fs2ns42x9j/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fbrblog.com/k1rc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/b61a75bab2f47f346ccd0e0e58e748092b90ec271588c5aab7b9370d30c8eeda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Executable_Converted_to_MSI
Create hunting rule
Rule name:INDICATOR_MSI_EXE2MSI
Create hunting rule
Author:ditekSHen
Description:Detects executables converted to .MSI packages using a free online converter.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Microsoft Software Installer (MSI) msi b61a75bab2f47f346ccd0e0e58e748092b90ec271588c5aab7b9370d30c8eeda

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168497/

Comments