MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea
SHA3-384 hash: 41fec9ea960d16c088213558624a6d274df7a07b27aab5031bb82d1d0f7bd5506d41b83e0806fb828a0f45c8b702437f
SHA1 hash: 7bc4521afb3f3d66589956934186aa58dc2da89d
MD5 hash: e17721a2ef74a162301a4162fb72ca94
humanhash: neptune-zebra-march-uncle
File name:e17721a2ef74a162301a4162fb72ca94
Download: download sample
Signature Formbook
Create hunting rule
File size:542'720 bytes
First seen:2022-05-17 09:50:13 UTC
Last seen:2022-05-17 11:02:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:7TdTJHBuWmGxGPhqZY3l7ZwGiJwFSYmojalJrsCBd:3dTVBulC2q2ViGiakOurHd
Threatray 15'778 similar samples on MalwareBazaar
TLSH T18DB4235137F8D367CD2827BB66FE5A80837B692C9882D157ACD266E40F313028DE5D23
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
AWB.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-16 22:12:17 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader formbook trojan stealer
Link:
https://app.any.run/tasks/27cf842c-03fc-4862-94d7-f3cb61268095

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271479/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62837013fd71ca8b2eea8009/reports/7b4885b2-6d6e-4a7c-bc2c-9b7d669c03b1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6f69391-2ac6-4c44-ad88-0a680fb3f9c8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995694
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 628189 Sample: ofk9i854E3 Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 8 other signatures 2->39 10 ofk9i854E3.exe 3 2->10         started        process3 file4 29 C:\Users\user\AppData\...\ofk9i854E3.exe.log, ASCII 10->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 14 ofk9i854E3.exe 10->14         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 14->53 55 Maps a DLL or memory area into another process 14->55 57 Sample uses process hollowing technique 14->57 59 Queues an APC in another process (thread injection) 14->59 17 explorer.exe 14->17 injected process8 signatures9 31 Uses ipconfig to lookup or modify the Windows network settings 17->31 20 ipconfig.exe 17->20         started        process10 signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 88 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 16:52:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d018e5356c91831fec573b9a19fc4c95fd534f45c454e1e363c8b75be8d08bb
Formbook
3a06c3ebd70a7d49c2a85dbeb46b2bd08d3772568b8feea6566dcb28324ca296
Formbook
4fd44b1855341a3f6f31e08e4ad288747ecb8e5b8637b95fff99aa689de07446
Formbook
7930bf3f1be9acdf429e2433aa7d0c36985d9a97e580571fee1ffe8cbc0d8f5a
Formbook
9109f3ebb2adae9285c464b1b111e41d7f2a77ce8f686d98110d788786ef9b70
Formbook
d727b63c6bcf81ea3c6a345f8435ad103f37c11c1b2cc89f9fee1f7253a26f9f
Formbook
dfa895fe8d8da53e7f3c0466a7e88aa5d36f1a781675d03b0c7400847a0b4f6b
Formbook
f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
Formbook
fc016404ec0f895f233c8c1f6ce91e4dbf2d6f083a8dbc9429788d6839d7ae0d
Formbook
+ 15'768 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mi25 rat spyware stealer trojan
Link:
https://tria.ge/reports/220517-lvgqmsabh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
eae1e8f6cba8811c48f03c213e6e9a1ef2e6973692e139e953295c5228d061e3
MD5 hash:
83a05c8934fd3b4870d5e85ee433b958
SHA1 hash:
59acbe75b80328090510ca0a9eee413155184685
Link:
https://www.unpac.me/results/03401045-6f02-4a1e-a0dc-b6ffc6028ed8/
SH256 hash:
709fdbef8932044e42231f14888aa12b12ddc571e6daba8af86d624a39fa63bf
MD5 hash:
a7a6647650fe0204d1ab042824d638be
SHA1 hash:
a1194aba19ab6190a412073fe1918cd1b559aacf
Link:
https://www.unpac.me/results/03401045-6f02-4a1e-a0dc-b6ffc6028ed8/
SH256 hash:
b865c2de2cc6f29b1907438918166460fd3d8660dbdccbe0b6a5ca90517993c7
MD5 hash:
65c5988a31b0f47c324948f593c52a01
SHA1 hash:
f15ff94d6598ea26fd25baf99d69d3b491bb3101
Link:
https://www.unpac.me/results/03401045-6f02-4a1e-a0dc-b6ffc6028ed8/
SH256 hash:
2b61e74582f3b5c709117b6377925de304f3f4f0af30e6ebac683a555f812970
MD5 hash:
8f2d1267c2921f2fecc60c24291a41da
SHA1 hash:
1dd27d959a6e3cdf558342c10d113d18b7b91d3e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/03401045-6f02-4a1e-a0dc-b6ffc6028ed8/
Parent samples :
be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea
b4959f6906cb2816453fd47b371ff016bd899bc9a4e4161e06b80ee64a9f7fc5
ddefebb59f9e4b8fc00e13686024f829fbc7d82a2b0d07fd29748071708a5850
SH256 hash:
be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea
MD5 hash:
e17721a2ef74a162301a4162fb72ca94
SHA1 hash:
7bc4521afb3f3d66589956934186aa58dc2da89d
Link:
https://www.unpac.me/results/03401045-6f02-4a1e-a0dc-b6ffc6028ed8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be44388c1d6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe be44388c1d6cb611f833ee2a52ba342d542bd4ce6da7f4d87a013094fe200eea

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2198984/
Cape
Cape
https://www.capesandbox.com/analysis/271479/

Comments


Avatar
zbet commented on 2022-05-17 09:50:18 UTC

url : hxxp://104.168.33.25/bbc/vbc.exe