MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
SHA3-384 hash: 3085c8c75161a2c50af6237e7c41529343fcb4c9a8af67353056219c3eca073dff0a801335e5cff3dd4ebbc5c43b05d9
SHA1 hash: c3841970b7fd0e3cb1deb6422423d3a86da793f0
MD5 hash: aeb64eb2a6f01a3102aa9b4d8e6ec148
humanhash: washington-undress-mike-stream
File name:aeb64eb2a6f01a3102aa9b4d8e6ec148
Download: download sample
Signature Formbook
Create hunting rule
File size:431'616 bytes
First seen:2021-08-10 17:51:08 UTC
Last seen:2021-08-10 19:01:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:0qWlspsQw0xAcNMoFE9yaUThi3vpV7KyQiMDga0O3kRDpqpF24BwOjx5heO:HWlDl0UqXc7KyUDN0UYDpQFz3jxv
Threatray 7'620 similar samples on MalwareBazaar
TLSH T1BF94232133E417F2D16C5FB759C2B831072EBD8EC862F90A19DC4D5EBA3671787A2606
dhash icon 0020149968040000 (3 x Formbook, 2 x a310Logger)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aeb64eb2a6f01a3102aa9b4d8e6ec148
Verdict:
Suspicious activity
Analysis date:
2021-08-10 17:51:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d74a220-2c99-447e-ac0f-3e4b812c7285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178044/
Detection(s):
SecuriteInfo.com.Variant.Bulz.596349.11694.8021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c0fb1cd-5b4a-43a0-b58f-3ce97800ba66
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830434
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462865 Sample: oMWnY5iFuQ Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Multi AV Scanner detection for dropped file 2->96 98 6 other signatures 2->98 11 oMWnY5iFuQ.exe 1 8 2->11         started        process3 file4 66 C:\Users\user\AppData\Roaming\...\paint.exe, PE32 11->66 dropped 68 C:\Users\user\AppData\...\oMWnY5iFuQ.exe, PE32 11->68 dropped 70 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 11->70 dropped 72 2 other malicious files 11->72 dropped 14 oMWnY5iFuQ.exe 1 5 11->14         started        17 oMWnY5iFuQ.exe 11->17         started        process5 file6 78 C:\Users\user\AppData\...\FB_392D.tmp.exe, PE32 14->78 dropped 80 C:\Users\user\AppData\...\FB_33DD.tmp.exe, PE32 14->80 dropped 20 FB_392D.tmp.exe 14->20         started        23 FB_33DD.tmp.exe 14->23         started        88 Multi AV Scanner detection for dropped file 17->88 90 Machine Learning detection for dropped file 17->90 signatures7 process8 signatures9 100 Antivirus detection for dropped file 20->100 102 Multi AV Scanner detection for dropped file 20->102 104 Machine Learning detection for dropped file 20->104 106 5 other signatures 20->106 25 explorer.exe 3 3 20->25 injected process10 process11 27 paint.exe 5 25->27         started        30 paint.exe 2 25->30         started        32 explorer.exe 25->32         started        35 wlanext.exe 25->35         started        file12 74 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 27->74 dropped 76 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 27->76 dropped 37 paint.exe 5 27->37         started        40 paint.exe 27->40         started        43 paint.exe 30->43         started        82 Modifies the context of a thread in another process (thread injection) 32->82 84 Maps a DLL or memory area into another process 32->84 86 Tries to detect virtualization through RDTSC time measurements 32->86 45 cmd.exe 1 32->45         started        signatures13 process14 file15 58 C:\Users\user\AppData\...\FB_2802.tmp.exe, PE32 37->58 dropped 60 C:\Users\user\AppData\...\FB_208F.tmp.exe, PE32 37->60 dropped 47 FB_2802.tmp.exe 37->47         started        50 FB_208F.tmp.exe 37->50         started        108 Multi AV Scanner detection for dropped file 40->108 110 Machine Learning detection for dropped file 40->110 62 C:\Users\user\AppData\...\FB_387D.tmp.exe, PE32 43->62 dropped 64 C:\Users\user\AppData\...\FB_30EA.tmp.exe, PE32 43->64 dropped 52 FB_387D.tmp.exe 43->52         started        54 FB_30EA.tmp.exe 43->54         started        56 conhost.exe 45->56         started        signatures16 process17 signatures18 112 Antivirus detection for dropped file 47->112 114 Multi AV Scanner detection for dropped file 47->114 116 Machine Learning detection for dropped file 47->116 118 Sample uses process hollowing technique 47->118 120 Modifies the context of a thread in another process (thread injection) 52->120 122 Maps a DLL or memory area into another process 52->122 124 Tries to detect virtualization through RDTSC time measurements 52->124
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 15:32:10 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlrswv44foz5b5e3t7x2xvbtwxh2hi4yxwputntv7rriunjo5nca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0881127ba3ada84a8259b0e923fb8723a89016ae555bb59c44a9b372bba7daab
Formbook
2450d5f5fa69393262ee4d935acf867ff537ffaaa0a927823b748d5d77dd9fcc
Formbook
4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543
Formbook
6e1a82800736b1a05851d8eeca004861946ad916fe5566796e9303766de80131
Formbook
aaa2dcb2a94844c7059c483090f4d28c0efc2993438ddfc22c6d4c0ec93c0562
Formbook
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
Formbook
c59f3d09668674cc602a759071c5972b8f78b2b829afd3fb8d5e6f9ecd820280
Formbook
e242d70710f47daf819f4dec74264d265efd80a1aa12eec27c0ac20715670923
Formbook
fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Formbook
+ 7'610 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cg53 persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210810-ztfrz5p62e/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.domoexpra.club/cg53/
Unpacked files
SH256 hash:
94f67426d3a9f9565493462a3e85ace467b1785f4df8f0e21d3c14555fc4b13a
MD5 hash:
272bab0f4f951600985ea2c3b96665c7
SHA1 hash:
a133019f4f30ccd410c9b09f23c13c472e8e1c46
Link:
https://www.unpac.me/results/af1df054-6e29-4c49-8568-2d3c1d0e84f0/
SH256 hash:
fb401914ed48a2fdd1d91483962f99a31ffe7242874af2e703eece4ff6ad41d7
MD5 hash:
8f989259a7cfb110d5acd1fb63af4c33
SHA1 hash:
72cf6656f5d7de743588cac05cf144e3d94acc84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/af1df054-6e29-4c49-8568-2d3c1d0e84f0/
Parent samples :
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
SH256 hash:
d568436df5c8acb34e4bb7fdd390a5db5167dabee57fc56de86b59e6df363d81
MD5 hash:
3c70f12c1d28d571c9850946c3df10c5
SHA1 hash:
fdefd739eb33d7d365a82fdb923ddc37ff1f8224
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/af1df054-6e29-4c49-8568-2d3c1d0e84f0/
Parent samples :
b04306fa8223c20a1abaaa6aeb5cabb2a83dc04337beb2acfd47784b34b682bc
bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
SH256 hash:
4e77453603d680c59d72f7c1a125eac2d807200b8ea6cdd6bfe63443847e2236
MD5 hash:
f1d4c8fee6ce5a8237d97324bb8d0eab
SHA1 hash:
c8c28f430931216d6409dff5b6b294e310083666
Link:
https://www.unpac.me/results/af1df054-6e29-4c49-8568-2d3c1d0e84f0/
SH256 hash:
cec8ef8ddc0b04b78c64bcb77fd1780fcfec399c17a82f9c71c9263fcf12d23d
MD5 hash:
cf26d4c5530f438d81ec6a54e0372020
SHA1 hash:
68d242ce7816824a7e18f4398c68e3d06ec96397
Link:
https://www.unpac.me/results/af1df054-6e29-4c49-8568-2d3c1d0e84f0/
SH256 hash:
bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44
MD5 hash:
aeb64eb2a6f01a3102aa9b4d8e6ec148
SHA1 hash:
c3841970b7fd0e3cb1deb6422423d3a86da793f0
Link:
https://www.unpac.me/results/af1df054-6e29-4c49-8568-2d3c1d0e84f0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bae32b579c2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bae32b579c2bb3d0f49b9fefabd433b5cfa3a398bd9f49b675fc628a352eeb44

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1522717/
Cape
Cape
https://www.capesandbox.com/analysis/178044/

Comments


Avatar
zbet commented on 2021-08-10 17:51:10 UTC

url : hxxp://auto-house.info/cgt/hherpp18.exe