MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
SHA3-384 hash: ed6ff4af5175f2ce6a8cb657a3dce3b422575ba6f1e27815b14a15ec8fb4c21ffe642d1303dd420291527fcc6ee3e8d4
SHA1 hash: cc89d0a14aa5133ea31c99be929d0d7d6ea9b98a
MD5 hash: 4c440fbcfe122628cfc4ebb6ed52ce44
humanhash: oklahoma-spring-utah-victor
File name:bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
Download: download sample
Signature Formbook
Create hunting rule
File size:408'120 bytes
First seen:2020-11-03 10:09:56 UTC
Last seen:2020-11-03 11:58:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GYkpuSNVGhuC588C0/wpgTmfHk34xOu419:GuUGhtCw0gTmXOR19
Threatray 5'351 similar samples on MalwareBazaar
TLSH CC94D0997640F19FC927C836C9645CF4AB123C26C70BC647A0533D9EBA7DA87CF251A2
Reporter JAMESWT_WT
Tags:FormBook

Code Signing Certificate

Organisation:Adobe Inc.
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jan 31 00:00:00 2019 GMT
Valid to:Feb 3 12:00:00 2021 GMT
Serial number: 06F24D9F4DB07BD7ECAD067F5EE26C29
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: F1D08D7B98504370C1D5C40DCD8D8DCEAB084E9095CEF544465C445A374A18B0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82010/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.4084.6042.4862.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519052
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308627 Sample: xZ1iXLxRFX Startdate: 03/11/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 xZ1iXLxRFX.exe 1 2->10         started        process3 file4 28 C:\Users\user\AppData\...\xZ1iXLxRFX.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 xZ1iXLxRFX.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 cursosonliine.com 162.241.2.49, 49733, 80 OIS1US United States 17->30 32 www.hotmelt-coatingmachine.com 172.121.177.214, 49734, 80 EGIHOSTINGUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-30 12:41:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
Formbook
2bafe7b4f77916d7ca905d9d46453d27e090b85ba065f4892a886abdc8e51863
Formbook
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
Formbook
37c41a797e70fef4120a5175d93835738ed9b9b85e24c912d61c7e1f96265f51
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
Formbook
a50fdfd2a59cafe23cd41227b465d44b6d00e2b14f707798d60d2637ff78ef25
Formbook
c41015f034cca2ff33ce96e08ddb477a92a3fff678bd8e78a78d96bf69e613f1
Formbook
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
Formbook
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
Formbook
+ 5'341 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201103-nb2r9hc9ha/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.a1aphysicaltherapy.com/ri6/
Unpacked files
SH256 hash:
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
MD5 hash:
4c440fbcfe122628cfc4ebb6ed52ce44
SHA1 hash:
cc89d0a14aa5133ea31c99be929d0d7d6ea9b98a
Link:
https://www.unpac.me/results/bfedc1f4-a0de-4dbe-b288-ec7028c7b831/
SH256 hash:
def2e8f6dc29cc80c4917935a93f742b72064ea1619043c0d36138933941c17c
MD5 hash:
b40aa024165223f61011dfa8dea26bcb
SHA1 hash:
1682f64cc5a800b79e15efc6a26b50836f2e27a4
Link:
https://www.unpac.me/results/bfedc1f4-a0de-4dbe-b288-ec7028c7b831/
SH256 hash:
e7dc58ee2af533cc6b2ede560267b2db5a35361aa00eadb598af0aa82f5bd05b
MD5 hash:
08567a7c348973a680c23d450a21e463
SHA1 hash:
4a4c8a9273157cca6c8f9876304f946c773b03fd
Link:
https://www.unpac.me/results/bfedc1f4-a0de-4dbe-b288-ec7028c7b831/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/bfedc1f4-a0de-4dbe-b288-ec7028c7b831/
SH256 hash:
c7f102558506e1664af6c1781909964d377e909a3a276aade19843fde51bede4
MD5 hash:
588e4bb830687dccf91884fb5ef122ca
SHA1 hash:
5408f418e569738550a26b9e2810cb0df7a4de9e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfedc1f4-a0de-4dbe-b288-ec7028c7b831/
Parent samples :
1e1beae5454f17fedd445159a0f138718c2009df44ac4b05a35ec3971a521f90
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82010/

Comments