MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec
SHA3-384 hash: 8175937f3320d921330e278c3bd128b1ab46242555ece509a9691f95bffaf84f1ab7c93b2ecbf97e5577da269fb7241d
SHA1 hash: 55f84e625a2c498df407db7e346866825e951ac7
MD5 hash: 0cb4f3a6d8bf2b079afdbfd8721ebafc
humanhash: september-lamp-pasta-chicken
File name:0cb4f3a6d8bf2b079afdbfd8721ebafc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'992 bytes
First seen:2022-02-16 18:54:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:TEIh2EnTKrNiM3J2Y4D8eXLg2IJM/ihvACAt:ghrr3YweX0ZEMAj
Threatray 13'523 similar samples on MalwareBazaar
TLSH T12E050104B7A3E949C53E0FBAB895D0B39AA0AA7D7723EB7B2CD1234C04473E90575634
File icon (PE):PE icon
dhash icon 00b271f0f079f2c0 (15 x AgentTesla, 8 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242027/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620d4895a2660f3bb9e89465/reports/a1be6d99-5d3c-432e-a622-e054d2f5efdf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6310a615-bf71-4f19-993f-1f41e7679e7c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941143
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573625 Sample: ov0BIMVxrQ.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 10 ov0BIMVxrQ.exe 3 2->10         started        process3 file4 31 C:\Users\user\AppData\...\ov0BIMVxrQ.exe.log, ASCII 10->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 10->59 14 ov0BIMVxrQ.exe 10->14         started        signatures5 process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 17 explorer.exe 14->17 injected process8 signatures9 39 System process connects to network (likely due to code injection or exploit) 17->39 20 rundll32.exe 17->20         started        process10 signatures11 49 Self deletion via cmd delete 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53 55 Tries to detect virtualization through RDTSC time measurements 20->55 23 explorer.exe 4 178 20->23         started        27 cmd.exe 1 20->27         started        process12 dnsIp13 33 www.buildingwealthwisely.com 103.224.212.222, 49850, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 23->33 35 turnkeygrouprealty.com 160.153.136.3, 49851, 80 GODADDY-AMSDE United States 23->35 37 7 other IPs or domains 23->37 57 System process connects to network (likely due to code injection or exploit) 23->57 29 conhost.exe 27->29         started        signatures14 process15
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 13:57:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70
Formbook
1eb4790d6bde96e2486580793a9f6759241f0bde48e6b7f1df0e9a1e62e6a1e5
Formbook
6420ceb34588ec91292aa6fcaa2b77b99a4b492a009f51a409fd240d138c7856
Formbook
78925291f09bb03febfff27735cd630b96b9ea2a21aee0a8b58e156ed20b256a
Formbook
8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0
Formbook
e08593ebcd4ac9265c1f27d987a67f43b2c8a9e9c680e9d47901281a4c5878dd
Formbook
e149c419c1e3da9f42da46d4ba594ec7b97fc9a333bea11d1693b6750edf603b
Formbook
f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
Formbook
fa4fe52b60d9da8ae735fe5ff04114abd194754fcd4ca94c0558ca7f6a3b3945
Formbook
+ 13'513 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:p0t9 rat spyware stealer trojan
Link:
https://tria.ge/reports/220216-xkswpsdchp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
7e98822f8518f0e996b7cf3acf26a5097b1d1bca30598a4ad51243e4815cd336
MD5 hash:
e935ef8d61fa963b6ed778497524d884
SHA1 hash:
935ed07dead04deecf89661c3ea1a573468e007b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/094f8462-e927-4918-a2ad-d808592ef5af/
Parent samples :
197f9af8a87a5870a0b950d3123cfa4c648f941b97cb7c16f392d26b61385d70
bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec
a6fc3d54528af98d4e971543db7f11f891d08269e288ad6822959c0a47665609
98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c
SH256 hash:
73f47ad0bc8542756b7cad0c2c6f0c080c01f65ae1df2d16cc0ae82089831a4d
MD5 hash:
1fccc20fe0cd732951310278ce313bd9
SHA1 hash:
f1f3795923630d8595b72054c38cfd7e89f485c1
Link:
https://www.unpac.me/results/094f8462-e927-4918-a2ad-d808592ef5af/
SH256 hash:
63b6403c6ea1378c0ff49f069597b45496dba6c0161d240e64885ab6f0806d04
MD5 hash:
72b143fd989c37772556bf302ac33be1
SHA1 hash:
ee377db4778e70261d34f8210208069df41a12ef
Link:
https://www.unpac.me/results/094f8462-e927-4918-a2ad-d808592ef5af/
SH256 hash:
8e12517873f0d1974518500f1942e35800d705ac8cade94f94c0f258c8f86b26
MD5 hash:
adbe68f8aba7c0f38f5ff432b73f383e
SHA1 hash:
7dda032f0d47a04d542909deed9ee2dcb0781716
Link:
https://www.unpac.me/results/094f8462-e927-4918-a2ad-d808592ef5af/
SH256 hash:
bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec
MD5 hash:
0cb4f3a6d8bf2b079afdbfd8721ebafc
SHA1 hash:
55f84e625a2c498df407db7e346866825e951ac7
Link:
https://www.unpac.me/results/094f8462-e927-4918-a2ad-d808592ef5af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/242027/
  
URLhaus
https://urlhaus.abuse.ch/url/2044599/
  
Delivery method
Distributed via web download

Comments