MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb
SHA3-384 hash: da8a501fef3486dc92b3669f854e4eaee72e7785a8d1090e73e200deb9a37c8fa11b32f0a04ee9fb0d00f603eb282e8e
SHA1 hash: 539ac067c45a87aa16e9fa86532d0f02212025cb
MD5 hash: 9d19dde43388e09b8a1ff59ae2594d32
humanhash: jig-muppet-pizza-kentucky
File name:9d19dde43388e09b8a1ff59ae2594d32.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:650'240 bytes
First seen:2021-04-01 06:43:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:erk8/CTnjHL8cXbteKkqVmcJN74pXmWLaUN:eGXr8cLErqVLGpXh
Threatray 4'482 similar samples on MalwareBazaar
TLSH BED4692337477BAFDD7913B62452451033B0AD36E66AD60CAC68724C5F776C08BEE262
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9d19dde43388e09b8a1ff59ae2594d32.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-01 07:22:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2cea304b-2961-47d3-acd0-946758420574

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/130478/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576-3.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661708
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379791 Sample: yQh96Jd6TZ.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 28 www.forneyus.com 2->28 30 forneyus.com 2->30 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 9 yQh96Jd6TZ.exe 3 2->9         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\yQh96Jd6TZ.exe.log, ASCII 9->26 dropped 58 Tries to detect virtualization through RDTSC time measurements 9->58 13 yQh96Jd6TZ.exe 9->13         started        16 yQh96Jd6TZ.exe 9->16         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Maps a DLL or memory area into another process 13->62 64 Sample uses process hollowing technique 13->64 66 Queues an APC in another process (thread injection) 13->66 18 explorer.exe 13->18 injected process9 dnsIp10 32 dfendglobal.com 94.127.7.174, 49775, 80 SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze Serbia 18->32 34 www.support-applela.com 91.121.60.23, 80 OVHFR France 18->34 36 20 other IPs or domains 18->36 48 System process connects to network (likely due to code injection or exploit) 18->48 50 Uses ipconfig to lookup or modify the Windows network settings 18->50 22 ipconfig.exe 12 18->22         started        signatures11 process12 dnsIp13 38 www.support-applela.com 22->38 52 Modifies the context of a thread in another process (thread injection) 22->52 54 Maps a DLL or memory area into another process 22->54 56 Tries to detect virtualization through RDTSC time measurements 22->56 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 02:32:00 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7lu4hvflzr4u7l3fgbvljrs7dpq6p6flcxhehxsdtdavyelqk5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3ab2ff5459a46d33405f2c4a2853dbd9c21b09fd8f7abf0bb9683736f372776b
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
786e182e324b83c59ad1b095f7d520598a1b72cfce239b4274d462c7ba45bf18
Formbook
7c8eea0e649a176edb83fc19998f0e99be49c7bee1ff9090d1be69f614554088
Formbook
a514741f5e99ded17c767b1159e98f86ae0b918fcff56f53d365e4744104f457
Formbook
b4881cc38748284029b7008aaf75c0f1f85a4dcb70a61425e787325736c83f36
Formbook
b5e2b52a984579c7f0aa92d0acaa6eef67f06af5330857ba98a62345edd59908
Formbook
ce399cb6f48a7daf6fd1ce9ffc9a0fe086d101fac2c11a1a636e1932d3303c90
Formbook
d853a2c5b2ea683d568bc9065aa37ed906e46eacaef2412173cdb7a04214db2a
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
+ 4'472 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210401-3g44talp72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.paintersdistrictcouncil.com/vu9b/
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/99591fb8-19e6-4b34-8e9a-1d599c807a92/
SH256 hash:
bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb
MD5 hash:
9d19dde43388e09b8a1ff59ae2594d32
SHA1 hash:
539ac067c45a87aa16e9fa86532d0f02212025cb
Link:
https://www.unpac.me/results/99591fb8-19e6-4b34-8e9a-1d599c807a92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe bfd74e1ea55e63ca7d7b298355a632f8df0f3fc558ae721ef21cc60ae08b82bb

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/130478/
  
URLhaus
https://urlhaus.abuse.ch/url/1090615/
  
Delivery method
Distributed via web download

Comments