MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9
SHA3-384 hash:	0559996bae817f0aa9c1010510f22b9b22e9e1b63313e923959e863a1f7e2ba59297be61c14e664415964e29e596fac9
SHA1 hash:	6df66bcc20c77a3a66af93f88af56f1cd2213ddb
MD5 hash:	f863366aa81997f2b9f31e3bc7d15316
humanhash:	grey-whiskey-florida-mississippi
File name:	f863366aa81997f2b9f31e3bc7d15316.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'044'480 bytes
First seen:	2022-03-21 08:48:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:uLHl9DaZ5T3XOBKe9c5TyhMcGwcE6ocD1js7suGG:uLXWpXOBKem5TyhMcNGG
TLSH	T16D2523193BB00031CAB79BB1B4F0F5710F775998B153EB14D58AA68A3E1FB150A1B93E
File icon (PE):
dhash icon	b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253431/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/62383bccb94fb38cb4c192cb/reports/4b755cd7-752a-4392-a453-ac58c7cc4694/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8aa366f9-14a4-4a14-9645-b9e8ec96537e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960580

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Yara detected Shellcode strings

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-21 08:48:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:g2e7 rat spyware stealer trojan

Link:

https://tria.ge/reports/220321-kqfr4sahcm/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

6f290dff7c68f73aff45d09c3ea10847f1305b59ca09bba6b87b0bfb24cf6553

MD5 hash:

bb9017e04aab48de8eba50f5704933f5

SHA1 hash:

85cdd5fed8703d98af059b9b3892ccc7a2a5bf0c

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b22fccbd-0d52-41f1-964d-b896b56adc17/

Parent samples :

9577df8b7e48bb30b9bd48e49c548d45cc5cc4a9bf1b93aa79f4ab35fc977cb3
81ca38001ad9f05b6f89e4e956cbd1efce397ebdb516b6e381c777e28b6dadbb
059bdd3a82690647000d29fd9d7957782518cf71ab9c848666992508c4bb0c2e
154e83d504788a5a1a35d1758157daefaed1810f8752601cf4dd5577d626b59b
c6a3fd36f07d97fb287fbac946ae8b8d12d1fcde36fa87395de79d59f0c3fb77
b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9
3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76
9cfa1deda62a35bf8c2211bf4c1996d880c84c4242308a5d74403a570d70e066
9e3075aeadf4672cd6edfeb02d197a31a05be6330e3d179125c68c9d60893d18

SH256 hash:

6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7

MD5 hash:

7c3fb3e3d91e338ae917c4cb46895e71

SHA1 hash:

ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa

Link:

https://www.unpac.me/results/b22fccbd-0d52-41f1-964d-b896b56adc17/

SH256 hash:

d9b5faf97feac9adfd516f92ce72a5036dfcab32269bb991a1d4992ba322d485

MD5 hash:

ed204d286610a22667bc0438c5afa20d

SHA1 hash:

b25b1dfe998b18c20b964b439ae4cc536a3f1fa0

Link:

https://www.unpac.me/results/b22fccbd-0d52-41f1-964d-b896b56adc17/

SH256 hash:

28936a1d1d898b66057c1d59ad117375d1a72206fb6b263216a01f17eb67c12c

MD5 hash:

8f06f5107d47e78c66d5f103638f5ab1

SHA1 hash:

aebdda7c9b1d1b17f273709b57f9f2e8858595f2

Link:

https://www.unpac.me/results/b22fccbd-0d52-41f1-964d-b896b56adc17/

SH256 hash:

b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9

MD5 hash:

f863366aa81997f2b9f31e3bc7d15316

SHA1 hash:

6df66bcc20c77a3a66af93f88af56f1cd2213ddb

Link:

https://www.unpac.me/results/b22fccbd-0d52-41f1-964d-b896b56adc17/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b71ecfd70a10/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe b71ecfd70a10c73be177dd8fb3a3dcfbc39dc06e7e3646b43c2901e75a79f4a9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2096984/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/253431/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample