MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71
SHA3-384 hash: 6a2cdad2585a46dd4710a43bb487fb81bd28fcdc7b2b91df90f2e08cc4e75023709e211d31f1f8603b25956309555288
SHA1 hash: 1735bb65c4f9d2eb29c7aa67cb9f8612edf090ae
MD5 hash: 1476aaf429d24a0c48ef52829cdf94e5
humanhash: bulldog-item-oregon-edward
File name:bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71
Download: download sample
Signature Formbook
Create hunting rule
File size:1'546'752 bytes
First seen:2020-11-15 23:04:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:4V+HEzZmOcmWvPUJvXgpiPVJn5SAuovd6WTTCl:9H7O0nufYi96Auol6WXe
Threatray 2'970 similar samples on MalwareBazaar
TLSH 5E65F79D3260B6DFC857CD36DA681C64EB6078BA830BE203A05726ED9D5D59BCF140F2
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537539
Signature
Binary contains a suspicious time stamp
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317866 Sample: QkbBGL0s9A Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AntiVM_3 2->34 36 5 other signatures 2->36 10 QkbBGL0s9A.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\QkbBGL0s9A.exe.log, ASCII 10->28 dropped 40 Tries to detect virtualization through RDTSC time measurements 10->40 14 QkbBGL0s9A.exe 10->14         started        17 QkbBGL0s9A.exe 10->17         started        signatures5 process6 signatures7 42 Modifies the context of a thread in another process (thread injection) 14->42 44 Maps a DLL or memory area into another process 14->44 46 Sample uses process hollowing technique 14->46 48 Queues an APC in another process (thread injection) 14->48 19 explorer.exe 14->19 injected process8 process9 21 NETSTAT.EXE 19->21         started        signatures10 38 Tries to detect virtualization through RDTSC time measurements 21->38 24 cmd.exe 1 21->24         started        process11 process12 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:06:45 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
Formbook
366d589602fe9abe8051f7b13322aaa0efc3d65638575bc6488a65ce75773488
Formbook
45cf51569314dac91762e5c1f112c4a640595239d553729f10613f9f59403e84
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf
Formbook
7a990daaeb236dac7f6245626e92a4624c798b89e96d573abfd78d2b546af659
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
911fec402f3bb42d731c4e177c322c0df8d79f680e5a18f538a3ff2e3086c2bf
Formbook
a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8
Formbook
e193e31155334803c7114e1f578689e26cda3faf7539fdb15d19f2f60e8379c1
Formbook
+ 2'960 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201115-hpcys3svt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.progressaofinanceira.com/di4r/
Unpacked files
SH256 hash:
bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71
MD5 hash:
1476aaf429d24a0c48ef52829cdf94e5
SHA1 hash:
1735bb65c4f9d2eb29c7aa67cb9f8612edf090ae
Link:
https://www.unpac.me/results/36ac62bc-3020-4264-97e8-a9f5559618c9/
SH256 hash:
daaddfd409cb5ddf885892bcade80948e2bc756fec284f132fed279a06aae888
MD5 hash:
b1099fdf37286ced022b0d45a4ac391e
SHA1 hash:
998f1f4cf2e8b15133f4634cec5623f4ad6b99a2
Link:
https://www.unpac.me/results/36ac62bc-3020-4264-97e8-a9f5559618c9/
SH256 hash:
2a722b5b2318dc292a35d5cbd9a2817d1f40e0f999de9d16adc1314552e36ea8
MD5 hash:
0f7423f0d25b5529ce667ab1e9379372
SHA1 hash:
9ba4d19777e894b32a1910db70e7765459d2a28f
Link:
https://www.unpac.me/results/36ac62bc-3020-4264-97e8-a9f5559618c9/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/36ac62bc-3020-4264-97e8-a9f5559618c9/
SH256 hash:
290a2a2881ff015d555649d59c2ddeebe3b9536eb8ed06f09f185990edda31b4
MD5 hash:
bc4c20d803c773fbd897ddcc34d8175f
SHA1 hash:
78d279a93dbf815b30b15f7e0cd223e659c259c3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/36ac62bc-3020-4264-97e8-a9f5559618c9/
Parent samples :
7a990daaeb236dac7f6245626e92a4624c798b89e96d573abfd78d2b546af659
74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf
a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8
366d589602fe9abe8051f7b13322aaa0efc3d65638575bc6488a65ce75773488
e193e31155334803c7114e1f578689e26cda3faf7539fdb15d19f2f60e8379c1
bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71
496312b0f2439d09765eb76ce146369b9417f59225f86c9b5f0ef8e1bb880602
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments