MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6
SHA3-384 hash: 918564bbdf0a439fd8f8e0ee1942b3e3ffbea785b264ceed8effa35105883658a742fe4a5a6214de8842d9be29b068f9
SHA1 hash: 5f71acd11fb0eceedea216ae364f267bf286d9bc
MD5 hash: 559170495756a65532e8130c6594e9d0
humanhash: oranges-table-summer-bakerloo
File name:74848_858PGF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:559'616 bytes
First seen:2022-05-06 11:59:04 UTC
Last seen:2022-05-07 05:59:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:dmcK2gxAjgDgsmSPslGiy8l7Lvni7Cur5wHHJP:KxAjgDgs5Riy8l7LPyN2
Threatray 15'884 similar samples on MalwareBazaar
TLSH T139C4020A3A558B12C8A526B5C5E7543407F2F7876632C3867FCA03D61E0A7E44DDABCB
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
4
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
74848_858PGF.exe
Verdict:
Malicious activity
Analysis date:
2022-05-06 12:00:23 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/fba691fa-d662-414b-b0ff-6555087f8345

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269066/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39620800.6715.9845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit formbook greyware obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62750d93be0219041a745981/reports/7c021bcb-0e24-4cd8-9851-ae5d90970913/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bcc954e-8a3a-41a4-b476-2cc601d3e002
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989046
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 621542 Sample: 74848_858PGF.exe Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 31 www.orwickeu.com 2->31 33 www.alsosprachzamolxis.com 2->33 35 orwickeu.com 2->35 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 10 other signatures 2->49 11 74848_858PGF.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\74848_858PGF.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 74848_858PGF.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 olangeskineogutu.com 198.20.125.109, 49837, 80 SINGLEHOP-LLCUS United States 18->37 39 www.alsosprachzamolxis.com 23.27.137.70, 49807, 80 EGIHOSTINGUS United States 18->39 41 6 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-06 02:15:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2n5sqhl6giztk4sr5vwtxn7b2laye5pmhdwcn3tmas5veiazkta._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06bdc739d26559129afbc157dff8ef0f616dbe885a6cd8a2f43b62efaf848bb9
Formbook
19a007d4980b99ea32ee2d9feb1c7479ee4c7b165b159fd4fbd33622b661009d
Formbook
5a6ac40a3c393c4a3feff2030b34b6493215f0e855588f585fdb768529a3deae
Formbook
61ee0cca6d45766ecfedcfafba7f2e57d8fc2f4ee9b42bce3e7ffe5848c071f9
Formbook
73ef486f00e7b911bc1101d2e0eb3f8a23daf374a09dfdd81f03ccfae5106a29
Formbook
a3eb9cb4b46ef56131c171edab5015355e63f8c2f94bc8f5bc23ed0a48ea3d7f
Formbook
b1864b93f536f9f345949786b9d7229a56745506750c886abd462f07cb92a93b
Formbook
f6a3c8585bb8996962de5fb9d1318694190e14221b0ca4cac71077a11d60b3c7
Formbook
+ 15'874 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:6f3o loader rat suricata
Link:
https://tria.ge/reports/220506-n6bd4shgf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
ac7e68280300287663e4d3bd1cbf04c51d39eed617e3569f4e688b00512a3756
MD5 hash:
b5d9e3372e8f46cbd32930ffdf2ddaf4
SHA1 hash:
974c1a7032f389ba402e15696bce39bccdf70d7f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2a3492f4-497e-4211-9819-ecfacc97c341/
Parent samples :
43e06569bff1d3c89b16b9bb6803ebe0135cc74f6aeceac827268d536f71bbd3
9d424d6a5f9b3fa0659de083cbbd59087e0a31d794b80451aecc96383f153ae8
73ef486f00e7b911bc1101d2e0eb3f8a23daf374a09dfdd81f03ccfae5106a29
b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6
SH256 hash:
85ffad858cc07baf1f93e469126aa9fb2051e4b60266affb97cf7da72124d01a
MD5 hash:
44b1c78e9dc988e127c8bf50d30445ff
SHA1 hash:
b31790f2af15a1e722cd8b16a7670f6dbf719d04
Link:
https://www.unpac.me/results/2a3492f4-497e-4211-9819-ecfacc97c341/
SH256 hash:
8457bcef8d320a75cfd6eddaf7bc6fd2724525a6d84028218614053a9ce080fd
MD5 hash:
b138687e9e229605e3ca97c87a22b788
SHA1 hash:
aa065043bd2f541d85dae1553439eedf7b3f05ad
Link:
https://www.unpac.me/results/2a3492f4-497e-4211-9819-ecfacc97c341/
SH256 hash:
a25f5ec088784919ad9edb5bcf4faa066b6b01661e9b57e991f3f118a6c1acd3
MD5 hash:
3d4e2d7b5ce03e5ac7d3b04e56ac2b0e
SHA1 hash:
440c214c0476564420cb7d6165b7e2ded3fe2238
Link:
https://www.unpac.me/results/2a3492f4-497e-4211-9819-ecfacc97c341/
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
Link:
https://www.unpac.me/results/2a3492f4-497e-4211-9819-ecfacc97c341/
SH256 hash:
b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6
MD5 hash:
559170495756a65532e8130c6594e9d0
SHA1 hash:
5f71acd11fb0eceedea216ae364f267bf286d9bc
Link:
https://www.unpac.me/results/2a3492f4-497e-4211-9819-ecfacc97c341/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b69bd940ebf1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace 92fe39066bc823dbf07eea2193397d71a739ac15e6ce337dce29170d022e2965

Formbook

Executable exe b69bd940ebf19199ab928f6b69ddbf0e960c13af61c76137736025da9100caa6

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269066/
  
Dropped by
SHA256 92fe39066bc823dbf07eea2193397d71a739ac15e6ce337dce29170d022e2965
  
Dropped by
MD5 c3e4e63e8251b63be8a119e6b154edcd

Comments