MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552
SHA3-384 hash: 3e9650446fa8b3c18aa0cef272ca3fe185e44febf5a758b219fae4be602305924fa50e21be07825b1ac008e12a356db2
SHA1 hash: fc35d234556eae92624d47d90ee4cddf030b52ff
MD5 hash: 6fd7a75e4a31a4d0391cde2eafa6d5e2
humanhash: fillet-high-vermont-green
File name:6fd7a75e4a31a4d0391cde2eafa6d5e2
Download: download sample
Signature Formbook
Create hunting rule
File size:177'152 bytes
First seen:2022-01-21 18:54:38 UTC
Last seen:2022-01-21 21:18:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'656 x AgentTesla, 19'465 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 768:GCSHTplbpdedgaYVtSHPWclhVm13jtJXtg5k4ZaDBo+CO8nYOj0h:2plbpdyp5k4ZaDBo+CO8nPj0h
Threatray 10'361 similar samples on MalwareBazaar
TLSH T1DB04C325EAF7DDB0CA52093BA12CFA2D0D1D2D791D67F8492458FD23EEB6ACC9840171
File icon (PE):PE icon
dhash icon 58cbdadadadadd58 (9 x SnakeKeylogger, 6 x Formbook, 4 x Loki)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6fd7a75e4a31a4d0391cde2eafa6d5e2
Verdict:
Malicious activity
Analysis date:
2022-01-22 04:15:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c937fd7c-296d-46fb-a018-d0a5f9d24b87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221560/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.35002.14264.10025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61eb018fd32385db6316ad3c/reports/4bb354eb-349b-4077-ada9-9e7fc9986cce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c4408445-d804-4f85-870a-05d18a6e0e36
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925448
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557922 Sample: CrwtzU1QiJ Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 9 other signatures 2->50 7 CrwtzU1QiJ.exe 15 7 2->7         started        process3 dnsIp4 42 trietlongvinhvien.info 150.95.104.46, 49759, 80 RUNSYSTEM-AS-VNGMO-ZcomRunsystemJointStockCompanyVN Viet Nam 7->42 28 C:\Users\user\AppData\Roaming\...\update..exe, PE32 7->28 dropped 30 C:\Users\user\...\update..exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\...\CrwtzU1QiJ.exe.log, ASCII 7->32 dropped 52 Creates an undocumented autostart registry key 7->52 54 Encrypted powershell cmdline option found 7->54 56 Tries to detect virtualization through RDTSC time measurements 7->56 58 Injects a PE file into a foreign processes 7->58 12 CrwtzU1QiJ.exe 7->12         started        15 powershell.exe 9 7->15         started        file5 signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 12->60 62 Maps a DLL or memory area into another process 12->62 64 Queues an APC in another process (thread injection) 12->64 17 explorer.exe 12->17 injected 66 Uses ping.exe to check the status of other devices and networks 15->66 19 PING.EXE 1 15->19         started        22 PING.EXE 1 15->22         started        24 PING.EXE 1 15->24         started        26 3 other processes 15->26 process9 dnsIp10 34 yahoo.com 98.137.11.164 YAHOO-GQ1US United States 19->34 36 192.168.2.1 unknown unknown 24->36 38 74.6.143.25 YAHOO-3US United States 26->38 40 74.6.143.26 YAHOO-3US United States 26->40
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552/
Threat name:
ByteCode-MSIL.Downloader.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 11:48:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
15 of 23 (65.22%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14642e431716be5f43044de68f915037e0358a401f59e490f5370cc5563a1a23
Formbook
224eb07d990d08e707703af962de0b3f8414749f1a5a5a20d46d7c98337e036b
Formbook
2b61cfb00cc8a45fdae91c176c8e68be4ac7cefbe0fab5781e5fa44d2ec4ca9f
Formbook
2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
Formbook
3335218b7e280d81eb75ec3e4b124d9ad985f3849b508a8b9b4fb359f5dfbbfb
Formbook
8fbd2e80471ac408f76f9a2221d78e29ad5632961161f2cfc4c017d9b4ecbfde
Formbook
928fa5212b0c021cfc133bf17ce791b9a12f627356a171ae1afa377fdbb3ca19
Formbook
df70c8209f25283b9f315676eb12c7ea09c683501386f1290e347f70fb4079ff
Formbook
fa070ad21750a69c17bd104ae6fac4b05d12fe9d689101a38553619519f7edfb
Formbook
fc69e6c5574428d1463b12e28954ffe967456b3cd133e5ff61f46972f1afa975
Formbook
+ 10'351 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:oh75 rat spyware stealer trojan
Link:
https://tria.ge/reports/220121-xkskyaaga9/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552
MD5 hash:
6fd7a75e4a31a4d0391cde2eafa6d5e2
SHA1 hash:
fc35d234556eae92624d47d90ee4cddf030b52ff
Link:
https://www.unpac.me/results/2a5942dc-5ed0-4fd3-9e50-f9bc510124d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bbe645c9580d37f74350e17d80b68b6fa73fbeaee7c574320ff758d9c3cb7552

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221560/
  
URLhaus
https://urlhaus.abuse.ch/url/1996280/

Comments


Avatar
zbet commented on 2022-01-21 18:54:39 UTC

url : hxxp://trietlongvinhvien.info/.tmb/ID4/85013500002.exe