MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfbee93177edcd85c7406e28ea0edbf3e83bf4d608bbce8a7b24064eec5b822d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfbee93177edcd85c7406e28ea0edbf3e83bf4d608bbce8a7b24064eec5b822d
SHA3-384 hash: fa21a686b3bcf5a3bef11a9d65d0608da9f92d5e6822795967bd81b15f85d8b614aede54ab6ee13be059eb738b0c00ad
SHA1 hash: 852c892e8ef8559c7ca0227c69a5e20755d06200
MD5 hash: 7dc5811b2d3c618537c11ecff1dbe363
humanhash: asparagus-august-apart-avocado
File name:7dc5811b2d3c618537c11ecff1dbe363
Download: download sample
Signature Formbook
Create hunting rule
File size:738'816 bytes
First seen:2022-08-18 07:44:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yaV1ki3Z+/SpY3osLpKk9LEXmaVV3lKRbReSN849Pzf2s78f:tVui3/cNdhEWav3lKq88sPr76
TLSH T1BBF4123932F4556AE4A902F11A6D8C841BF13D36EE29DA9CFDE6348E82763C73552307
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7dc5811b2d3c618537c11ecff1dbe363
Verdict:
Malicious activity
Analysis date:
2022-08-18 07:47:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4094e3c-a8a4-440c-8fd7-98cd8b8855fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/299529/
Detection(s):
SecuriteInfo.com.BackDoor.RatNET.2.5777.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.AIDetectNet.01.12627.30770.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62fdee056df203c16a8db992/reports/bbf852e3-5843-4b66-8f00-80097c9d2ea0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/845b1f10-447d-403a-8c0d-ed2cc93d5617
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053652
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 686169 Sample: sKFEAgM7H0 Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 27 www.ebiliris.com 2->27 29 www.authorsong.com 2->29 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected AntiVM3 2->37 39 5 other signatures 2->39 9 sKFEAgM7H0.exe 3 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\sKFEAgM7H0.exe.log, ASCII 9->25 dropped 53 Injects a PE file into a foreign processes 9->53 13 sKFEAgM7H0.exe 9->13         started        16 sKFEAgM7H0.exe 9->16         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 18 explorer.exe 13->18 injected process9 dnsIp10 31 www.ponoruhtpu.xyz 109.123.121.243, 49730, 80 UK2NET-ASGB United Kingdom 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 43 Performs DNS queries to domains with low reputation 18->43 22 msdt.exe 13 18->22         started        signatures11 process12 signatures13 45 Tries to steal Mail credentials (via file / registry access) 22->45 47 Tries to harvest and steal browser information (history, passwords, etc) 22->47 49 Deletes itself after installation 22->49 51 2 other signatures 22->51
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bfbee93177edcd85c7406e28ea0edbf3e83bf4d608bbce8a7b24064eec5b822d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-17 09:06:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x67osmlx5xgylr2anyuoudw36pudx5gwbc545ct3eqde53c3qiwq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220818-jldlhsede7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
296a1bf44b57d9f656463f4931b3f1715768b578f3c5c0dac42483d07d1ad952
MD5 hash:
02627fbf3258c809d21b3979df7bcf97
SHA1 hash:
b0dc8a60f4a32885ca872324418b7b7c5d42919e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/de8a9a5e-92ec-450d-a1a6-3617a0614601/
SH256 hash:
bdde962929bf432781cc97f5f08255140ea40491bc80ea3b7949c1aba4d90eb3
MD5 hash:
34c61e0c38d3b053bc2775c8092791c7
SHA1 hash:
cd57855864c41d4f6ed09d6eee3be11ac22407bb
Link:
https://www.unpac.me/results/de8a9a5e-92ec-450d-a1a6-3617a0614601/
SH256 hash:
c3391ed9cad5277cdc3343aaeaac96d639cf944be259394bbb5b4613a9be283c
MD5 hash:
53b71c2c5b7c349c4212bced46c5f069
SHA1 hash:
395743bcaedabbc92145a2e540085801db981f74
Link:
https://www.unpac.me/results/de8a9a5e-92ec-450d-a1a6-3617a0614601/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/de8a9a5e-92ec-450d-a1a6-3617a0614601/
SH256 hash:
1b72d49a5e3db7a7a157408ac93240c7e0316ed7f6ddd10befc1af7e4bf7f68c
MD5 hash:
9c1436a35d82492bd09b6d65e4eaf94a
SHA1 hash:
2177711310aef753f821b881a4ee7f64f3bc9ef8
Link:
https://www.unpac.me/results/de8a9a5e-92ec-450d-a1a6-3617a0614601/
SH256 hash:
bfbee93177edcd85c7406e28ea0edbf3e83bf4d608bbce8a7b24064eec5b822d
MD5 hash:
7dc5811b2d3c618537c11ecff1dbe363
SHA1 hash:
852c892e8ef8559c7ca0227c69a5e20755d06200
Link:
https://www.unpac.me/results/de8a9a5e-92ec-450d-a1a6-3617a0614601/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfbee93177ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/bfbee93177edcd85c7406e28ea0edbf3e83bf4d608bbce8a7b24064eec5b822d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bfbee93177edcd85c7406e28ea0edbf3e83bf4d608bbce8a7b24064eec5b822d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299529/
  
URLhaus
https://urlhaus.abuse.ch/url/2274193/

Comments


Avatar
zbet commented on 2022-08-18 07:44:13 UTC

url : hxxp://103.207.39.251/office/vbc.exe