MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315
SHA3-384 hash: 6fe33559c7a8a0639a54fa7e9b7729ad80c919b1e606382aaad70c6dfdd39cb3ada5d2d3bafc890da9912ef66136700e
SHA1 hash: 1f3ad860838da18311e09c3ab42ec1c0508e8050
MD5 hash: 6e201981b59dbed41004e8a0787ab06e
humanhash: foxtrot-lima-quebec-oxygen
File name:6e201981b59dbed41004e8a0787ab06e
Download: download sample
Signature Formbook
Create hunting rule
File size:1'439'232 bytes
First seen:2023-05-31 04:44:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:pLvIBEPzAZIUk/EC5hQk4cUN/fn39s9zcCImSKh+KtjqX:pPz6MEBgUN3p9GJy
Threatray 3'041 similar samples on MalwareBazaar
TLSH T134650232464FBEFFFBE90D64D88B15880CC86AAB521C50A4BD8845DF32B5A54ED5EC70
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6e201981b59dbed41004e8a0787ab06e
Verdict:
Suspicious activity
Analysis date:
2023-05-31 04:45:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c03cf612-474b-4665-8bfd-b2c725eba65d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393792/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67299720.22606.6340.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed stealer
Link:
https://www.filescan.io/uploads/6476d0cfe6cc9218e8eb61c9/reports/3540ee16-16f7-421f-86af-f789bb7fcebd/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b5133df-316e-4e85-9524-cd3ea596f888
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245741
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878751 Sample: njqeBLvq54.exe Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 8 other signatures 2->42 10 njqeBLvq54.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\njqeBLvq54.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 njqeBLvq54.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 1 14->17 injected process8 dnsIp9 30 www.laserelitecreations.com 17->30 32 www.99design.store 34.110.163.134, 49720, 80 GOOGLEUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-29 19:12:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5vuoynqbzrwdtkrhfxpf2sh5x4ha5k72q2bx3homj6dt2rpwmkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
007da5cb25a7ac030d0e3d0d82a1cd09a069bdb607b6f44ea8538c12ba048aae
Formbook
08844badf5c2bdd4dc6da38cfd0d774768efe5383f2a10ab811ade9e6c1c0eec
Formbook
380cb4de7ecddc054955c5e7838e25fcd20dfe6455ff15c689474385f8c82ff0
Formbook
3b86e5743a7a35e6c3e1dc7cb1a844299e7b1f9eeea5bb7e51ca0de52b808803
Formbook
9428a8cb5cf276628dfa0fe68ad6e9169a0a12eb6d00636cd64c39111ddb3aab
Formbook
968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d
Formbook
a4515730dc2be572ac039d78bfc3c3e2e1bfa4a737e67f0a709b29d94c737ca6
Formbook
afb6ebaef93a9f20bc3e52580cdcd0ca4558dc8307485d1b7c52380a686680fe
Formbook
f153dbff060014738d4acb9dd79afd626d82abc59202a6d1d6754fd7f343774d
Formbook
+ 3'031 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hs95 rat spyware stealer trojan
Link:
https://tria.ge/reports/230531-fdd1jadc2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
83bcf419c847f65e877c951b09582457d8b41bcea9ae7f45972703b082ee8cb0
MD5 hash:
54841a158a44ed5508b9c6431dc3c127
SHA1 hash:
4e3b2494d6d9bfc323cb02191590150266765c52
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/beae2a01-f61d-46b7-8eb9-54daf99a6b4b/
Parent samples :
3c0001a9cfd20743c3bf08640859d90142456096612d035fde79ef2923ad45e0
968d112db7a7074ac9c934c1f34535e6119c163080266cbf02120c8679ad169d
bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315
788b280619372d2e7d1f1c6e00824cccb0cb581a7db5203f813a3d9df052f570
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/beae2a01-f61d-46b7-8eb9-54daf99a6b4b/
SH256 hash:
e2206f44306deb3ed9d634a46374edb74fa93583480b4a6e76aca14b282437ed
MD5 hash:
1ab5021d54f9e859ee3bbead48baeece
SHA1 hash:
63c74983825ff426fef255736ae669323528169d
Link:
https://www.unpac.me/results/beae2a01-f61d-46b7-8eb9-54daf99a6b4b/
SH256 hash:
bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315
MD5 hash:
6e201981b59dbed41004e8a0787ab06e
SHA1 hash:
1f3ad860838da18311e09c3ab42ec1c0508e8050
Link:
https://www.unpac.me/results/beae2a01-f61d-46b7-8eb9-54daf99a6b4b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf6b4761b00e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bf6b4761b00e6361cd51396ef2ea47edf870755fd4341becee627c39ea2fb315

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/393792/
  
URLhaus
https://urlhaus.abuse.ch/url/2647058/

Comments


Avatar
zbet commented on 2023-05-31 04:44:17 UTC

url : hxxp://45.66.230.127/254/INTERNET.exe