MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd2e5895c592ac5c6072d1108172fc759b17b5094fcfc125fb88d3b7b3432bba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	bd2e5895c592ac5c6072d1108172fc759b17b5094fcfc125fb88d3b7b3432bba
SHA3-384 hash:	4e29f6435b195075b6ac37990ab2f6251e2688f107f83fa79d752a94cad1e2b55529fb5e9bffa8378e62c72b0c1a1458
SHA1 hash:	689874cc568802003b6ca09cea156af424715de2
MD5 hash:	1f0c8747c32790a0f9c39c659e09d1c5
humanhash:	wolfram-oven-glucose-lamp
File name:	SecuriteInfo.com.Trojan.PackedNET.591.24689.22916
Download:	download sample
Signature	Formbook Create hunting rule
File size:	813'568 bytes
First seen:	2021-03-18 21:35:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:tpcb/bQAvfZUCUs3ull0HwTONmv3sR2EimbCwiORJWSHkaxXoBrfTby:AfZss3ull0HzG8VVvigJzoBrfTb
Threatray	4'144 similar samples on MalwareBazaar
TLSH	9805024076B2B2E8D4394B76B496C1930FF57C0E8297EABBFC59B19E0472468C67C235
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ00787676545654300RITEC.doc

Verdict:

Malicious activity

Analysis date:

2021-03-18 18:25:59 UTC

Tags:

exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/3c60960c-bf87-4a01-a2ca-e123df4c2367

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/125534/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.591.24689.22916.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7235d15e-6cc3-4658-9227-f51a215bf771

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/645510

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/bd2e5895c592ac5c6072d1108172fc759b17b5094fcfc125fb88d3b7b3432bba/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2021-03-18 11:14:00 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xuxfrfofskwfyyds2eiic4x4ownrpnijj7h4cjp3rdj3pm2dfo5a._file

Verdict:

malicious

Label(s):

formbook

Formbook

0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8

Formbook

11f06223417d6045acaa15cf7f5515d9afdfc23590c9cd021c2ae90a736bb6cd

Formbook

411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3

Formbook

6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6

Formbook

7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd

Formbook

9a55287be3d6c8a74a0aa6ee3a5ea4e288ba968e44c271c9ea5d2293c8300d07

Formbook

aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb

Formbook

adcc2671f1168261ceace2da6f28a79e0b3bc2f774fac1d79f4628f494951d24

Formbook

f39b9e8c4a9aa6d8cd9f069e8a8ee81a3f666e07071f2b4673aa42633026736c

Formbook

+ 4'134 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210318-2h94lchnds/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.dailybythecross.com/fdr/

Unpacked files

SH256 hash:

2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655

MD5 hash:

b7159eb14fe565d4e233604b629bbd8a

SHA1 hash:

64f82c67e6c7cbc078141162a49bffcee3d9ebb9

Link:

https://www.unpac.me/results/f3c6736e-a631-4cfc-bef3-b314318d99d5/

SH256 hash:

bd2e5895c592ac5c6072d1108172fc759b17b5094fcfc125fb88d3b7b3432bba

MD5 hash:

1f0c8747c32790a0f9c39c659e09d1c5

SHA1 hash:

689874cc568802003b6ca09cea156af424715de2

Link:

https://www.unpac.me/results/f3c6736e-a631-4cfc-bef3-b314318d99d5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd2e5895c592ac5c6072d1108172fc759b17b5094fcfc125fb88d3b7b3432bba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time