MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af
SHA3-384 hash: 9e87e2709ece3f53e166a7073408540d899b36a7ea3a3cc01da32e9df92f261d57710f5db732a25d93e06e1a21703ee4
SHA1 hash: 85d6749a90d14b1169ea4b71aee543ac8a1bc3ff
MD5 hash: 2909060bd03990d326fcc07b162b486c
humanhash: skylark-blue-eighteen-fillet
File name:2909060bd03990d326fcc07b162b486c
Download: download sample
Signature Formbook
Create hunting rule
File size:231'565 bytes
First seen:2021-06-23 20:06:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:QBlL/fHUXRzQoutoAygK6fX3Fcr8ItBN+VUs0Pb+XnmDCX:iN0XQ5FcIsZs0jqnmu
Threatray 5'955 similar samples on MalwareBazaar
TLSH 95341212A0C149EBD4170A702D37B742EA76EA1D0436964F6BB1DF3BA07A7C785076E3
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2909060bd03990d326fcc07b162b486c
Verdict:
Malicious activity
Analysis date:
2021-06-23 20:09:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73267eff-2140-4e9a-8aac-eba2c91b91bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis2909060BD039.24212.24618.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75d25079-8d11-4fd2-9f4a-aa9042d29ba6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806859
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439270 Sample: NY87vIYqi8 Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 5 other signatures 2->76 8 explorer.exe 2->8         started        12 NY87vIYqi8.exe 1 21 2->12         started        process3 dnsIp4 48 sxkeyuanda.com.lo915.faipod.com 103.72.145.225, 49730, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 8->48 50 www.sxkeyuanda.com 8->50 52 3 other IPs or domains 8->52 78 System process connects to network (likely due to code injection or exploit) 8->78 15 phfauappvj.exe 17 8->15         started        19 phfauappvj.exe 17 8->19         started        21 msiexec.exe 8->21         started        25 2 other processes 8->25 38 C:\Users\user\AppData\...\phfauappvj.exe, PE32 12->38 dropped 40 C:\Users\user\AppData\Local\...\System.dll, PE32 12->40 dropped 80 Detected unpacking (changes PE section rights) 12->80 82 Maps a DLL or memory area into another process 12->82 84 Tries to detect virtualization through RDTSC time measurements 12->84 23 NY87vIYqi8.exe 12->23         started        file5 signatures6 process7 file8 42 C:\Users\user\AppData\Local\...\System.dll, PE32 15->42 dropped 54 Multi AV Scanner detection for dropped file 15->54 56 Detected unpacking (changes PE section rights) 15->56 58 Machine Learning detection for dropped file 15->58 27 phfauappvj.exe 15->27         started        44 C:\Users\user\AppData\Local\...\System.dll, PE32 19->44 dropped 46 C:\Users\user\AppData\Local\Temp\bcam, DOS 19->46 dropped 60 Maps a DLL or memory area into another process 19->60 30 phfauappvj.exe 19->30         started        62 Tries to detect virtualization through RDTSC time measurements 21->62 32 cmd.exe 1 21->32         started        64 Modifies the context of a thread in another process (thread injection) 23->64 66 Sample uses process hollowing technique 23->66 68 Queues an APC in another process (thread injection) 23->68 signatures9 process10 signatures11 86 Modifies the context of a thread in another process (thread injection) 30->86 88 Maps a DLL or memory area into another process 30->88 90 Sample uses process hollowing technique 30->90 34 msiexec.exe 30->34         started        36 conhost.exe 32->36         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 20:06:22 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkxkdbtrk2peau565fwutawmo32xeguwe3hjcttxiri5vrhopgxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a6ec75b656e165939ee0d1f985678cb1799151e33449bba28c6a830ead01e3a
Formbook
98a4b710db82407a705fbe966afa5041566c3f3fdf44118a05f5551fbee3ec8b
Formbook
a7d608238504263bc730a5744ff6808c78d3003c658db1eec8a30ffd5152f257
Formbook
b8b841d90fe179b235744659d1bf9cd9860ff6d081b25ef0d485beefcf59e28a
Formbook
c288fba4b7716faf5562f4608d8ad0c1755ae059ba3d69569b60cf38a5f6f695
Formbook
c308169a026be95a659f89ea08e71093a5376b00b2e9a444d0659b1c4a2c2432
Formbook
e355ac0da4996011e91f28b11e03c44d54606ae4ceb0bc4f6d0a0edc4b3410ed
Formbook
e3ccade6f4b9accc6cffa813b88862d68f78f0f1c601a57d0573e60deea6a370
Formbook
f559645f8b05d3c7499f23fd4f6f8f74dad45c3b2501266db7c36b67c8e80e7a
Formbook
f73dcca2952ca3a15b309f8064bcaeb48c3213c9ac318c5a741f9805363f8e72
Formbook
+ 5'945 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210623-9hzxr2xeze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.personalizedyardsigns.com/xkcp/
Unpacked files
SH256 hash:
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
MD5 hash:
56a321bd011112ec5d8a32b2f6fd3231
SHA1 hash:
df20e3a35a1636de64df5290ae5e4e7572447f78
Link:
https://www.unpac.me/results/2d2430d4-4a64-4f6a-a3b0-dc99baad2b82/
SH256 hash:
a93b66aa66914829a7ed8729a86081de171f85ccf595da4b98814132b2c7cf5f
MD5 hash:
99f38aec855a1e3faa201803d63a0899
SHA1 hash:
9d52fe1aea5bd39b29388441fb2534a19ba17db5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2d2430d4-4a64-4f6a-a3b0-dc99baad2b82/
Parent samples :
a7d608238504263bc730a5744ff6808c78d3003c658db1eec8a30ffd5152f257
c308169a026be95a659f89ea08e71093a5376b00b2e9a444d0659b1c4a2c2432
baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af
SH256 hash:
baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af
MD5 hash:
2909060bd03990d326fcc07b162b486c
SHA1 hash:
85d6749a90d14b1169ea4b71aee543ac8a1bc3ff
Link:
https://www.unpac.me/results/2d2430d4-4a64-4f6a-a3b0-dc99baad2b82/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe baaea18671569e4053bee96d4982cc76f5721a9626ce914e774451dac4ee79af

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1392360/

Comments