MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2
SHA3-384 hash: 8b9a305b4f76f8fc84b02260e2758b80a4d96f0b566cfd93683bba800fe38ffca2a955fcc5cb4ffe393f19e873a3e244
SHA1 hash: 79a4a0cbbe3738fcd66527ad0f92e4137167d455
MD5 hash: 1a7fc59013edefa5363af94da481560d
humanhash: early-happy-earth-may
File name:ürün siparişi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:367'104 bytes
First seen:2021-11-15 06:58:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:2k/DA2GhNf7i596NhNnVPcAdilsr79i/6zKoNuGes5pCUXlqrvWGIvAh2ajOkRVT:jA2iNeaBy9l679v3eICUXlI7IvAh2c
Threatray 10'018 similar samples on MalwareBazaar
TLSH T14B741258B2E88F36C578E7FF9631491043FC7A5E2482E71D2CE592D519A2FF20241EA7
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205758/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Launching a process
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61920538dec3347825a4f478/reports/a0794bcf-6216-4377-88a3-1d4d33d7e4f6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41d21e5f-82fe-4feb-90b9-317c6d2598d1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889140
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 521609 Sample: #U00fcr#U00fcn sipari#U015fi.exe Startdate: 15/11/2021 Architecture: WINDOWS Score: 100 45 www.instant-geek.com 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 11 other signatures 2->53 11 #U00fcr#U00fcn sipari#U015fi.exe 7 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\PesgnDvhiCHKL.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\Local\Temp\tmpAC8.tmp, XML 11->41 dropped 43 C:\...\#U00fcr#U00fcn sipari#U015fi.exe.log, ASCII 11->43 dropped 55 Adds a directory exclusion to Windows Defender 11->55 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 24 explorer.exe 15->24 injected 71 Tries to detect virtualization through RDTSC time measurements 18->71 26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        process9 process10 30 WWAHost.exe 24->30         started        signatures11 57 Modifies the context of a thread in another process (thread injection) 30->57 59 Maps a DLL or memory area into another process 30->59 61 Tries to detect virtualization through RDTSC time measurements 30->61 33 cmd.exe 1 30->33         started        35 explorer.exe 2 155 30->35         started        process12 process13 37 conhost.exe 33->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-12 21:38:21 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5beadd0ecc9f1407dab89746630fddf7362dd00323e6a5e5413a0c286e2ee583
Formbook
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
Formbook
6e025a1d72e2abfb9c0fb6c945d3fcdbe2124c5d68d8f5fb09b8389bc30f799e
Formbook
afb0dcb294330abe26a2e2611f36441607a878844a251bea8be3e9407e238ad8
Formbook
c96178775d7f8dd8b06a4e59aad0367f36abc11680081acfcc2b446fb0ee28b1
Formbook
e5ebc473e259ec57e2a831477b449dd07c13198c0db74ce67732a8fce59e25ac
Formbook
ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Formbook
+ 10'008 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cb3b rat spyware stealer trojan
Link:
https://tria.ge/reports/211115-hr3xxshdg4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thefanlounge.com/cb3b/
Unpacked files
SH256 hash:
c6e68d6acf81aa9ae9ed2dfbc1362c274b5812c1fcf3b9444ce56021725f39ac
MD5 hash:
9656d6ce415ca2665017e14a6949fc82
SHA1 hash:
995032fdaa1938378423a6f1d98f3ad8e12c3092
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/de45fb9a-bfbe-4535-9065-c73774b41c5e/
Parent samples :
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
afb0dcb294330abe26a2e2611f36441607a878844a251bea8be3e9407e238ad8
ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2
SH256 hash:
bd4c4912209802bb457983177d94b220d20dc9775ff973f90bd1c6afd729bc9c
MD5 hash:
8cde05c2cc918a68b075bdb2854c9994
SHA1 hash:
bc3c4e2826370171102ee8b7bd317493cd72c15f
Link:
https://www.unpac.me/results/de45fb9a-bfbe-4535-9065-c73774b41c5e/
SH256 hash:
08a2b5bfaf7b6e75127ed6e02467ea603e12da7dc04d32da09be1069181cbcae
MD5 hash:
250ea77fa5367bf4237606b7d599660c
SHA1 hash:
8440dce65cfc6413b4914e6b94e6fa28637c69be
Link:
https://www.unpac.me/results/de45fb9a-bfbe-4535-9065-c73774b41c5e/
SH256 hash:
ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2
MD5 hash:
1a7fc59013edefa5363af94da481560d
SHA1 hash:
79a4a0cbbe3738fcd66527ad0f92e4137167d455
Link:
https://www.unpac.me/results/de45fb9a-bfbe-4535-9065-c73774b41c5e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ba1dc7d4d7eb9f21c8be72fbc9f0bb247806cbcebe96a4c00a68ebf071471ad2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/205758/

Comments