MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0
SHA3-384 hash:	df21811b6533c524063ce23a999419fb89585fa7e72db09a1420bfe545a6586259dcfad7226a82919bc2906531722cf9
SHA1 hash:	0bff48fcce898a54f7e6cd102f9e347c82bc8ffc
MD5 hash:	ea42aa54e58b05c5340f892800af930b
humanhash:	hamper-mirror-uniform-four
File name:	BL20551133(RO-KR)L1ZAR-S11pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'031'680 bytes
First seen:	2021-02-04 13:17:34 UTC
Last seen:	2021-02-09 15:17:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:4rWE4qlwkA7f6yVCr/bfKGJAFwcGE/r44k:sWE4qlD2o/bfjJhnak
Threatray	3'715 similar samples on MalwareBazaar
TLSH	8E258D8D770722CBF09F25BB83B11E340572BD5B74C0D61EF29E76A1A9321A8AC44797
Reporter	GovCERT_CH
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BL20551133(RO-KR)L1ZAR-S11pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-02-04 13:19:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6d6f2a4e-2524-44dc-8bca-bad13926a9fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/115628/

Result

Verdict:

Malware

Maliciousness:

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/599274

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-02 05:33:11 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7vvjzobhelfhbvqurudm3abfujvmi3wzrfif46npvuxep7os2qa._file

Verdict:

malicious

Label(s):

formbook

Formbook

148007b32a311769a958c3f87c6c836b14457f17dbe6a9a0188b0f68b3c30b40

Formbook

17560799b5c280bc9c03210bc5173826c9de6ea7d488f5ead4441933872ea690

Formbook

17feaeb1ed83aa5acfcf5b6807ad231530fb44c2e7f5a69552b68ca4fe14b941

Formbook

3ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18

Formbook

5b895b1fe7b66a92588a06eba17a83022da0b539dd9c2eaafbf6082a656f7b57

Formbook

691f4ceec58c748e1dd6535281cacf8dcb3f2f5907796dbeefec03c975dbb28e

Formbook

6ac9238d32f2a7b7315cdb2755e090aa53431a71d613e188209b02105e3b8af9

Formbook

9763034a6f6e93c907471ca361e619f5fe5ec0b3aeb301cd046bd877c62aaea7

Formbook

c88ff1a1487ac7559ec7f8104f6b1cd8231b6a7f0a52020c356c460d2b608d9a

Formbook

+ 3'705 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader ransomware rat spyware stealer trojan

Link:

https://tria.ge/reports/210204-4271jh4twj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.digitalneeds.tech/ivay/

Unpacked files

SH256 hash:

6371265c1e6b6a39d54a7bb9485b7ef14bf338c13e0f0e8e4e81f3ac802eaac8

MD5 hash:

4449dbe70422f2dbc5b21121c18ba3d6

SHA1 hash:

be147522e8dd0198a8f4478c5b02550893331d45

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b6632794-cc2d-4bba-8b26-789c50ad1776/

Parent samples :

c88ff1a1487ac7559ec7f8104f6b1cd8231b6a7f0a52020c356c460d2b608d9a
691f4ceec58c748e1dd6535281cacf8dcb3f2f5907796dbeefec03c975dbb28e
bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0
ba036ae8ea1f0edb73e54c34031ae4eb52862512054e014ee9d21ed04fdca86c
9681746b0d72e882c0949fcbdd3005b15720d66b4a8795b9d7c8c98a59048582
6a37a2a65393b805bbe4e7e4e42b642da433e9caa7436aaeb9df8ab0fc6679b9
9ab3bb93a6d39ab709c9b2369cde749ccbe7f3796c7c3e2fc39aa4715c3bb0fd
0e2a77f131f7d624f3c067e4b58124ccf1c85b4e16bf839fd2a6e9fde02a3f43

SH256 hash:

bd03f1419db658015507630078378ed7b24ed480166fb9855308e78cd249fb44

MD5 hash:

06ba0381250a64535e2ff8dcf4f37907

SHA1 hash:

bb9f2a2c1d8bdabeefcb7b1f0333a47ae144571c

Link:

https://www.unpac.me/results/b6632794-cc2d-4bba-8b26-789c50ad1776/

SH256 hash:

9fcfe729cb97058ada7034307f95afbdb3652a569e5a6e712bc6424533b8e266

MD5 hash:

fc9e96e1da83c27d0c2df8886e177cf3

SHA1 hash:

08674c17af20d5e6ceb7e908efb57066ba87e6b5

Link:

https://www.unpac.me/results/b6632794-cc2d-4bba-8b26-789c50ad1776/

SH256 hash:

bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0

MD5 hash:

ea42aa54e58b05c5340f892800af930b

SHA1 hash:

0bff48fcce898a54f7e6cd102f9e347c82bc8ffc

Link:

https://www.unpac.me/results/b6632794-cc2d-4bba-8b26-789c50ad1776/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip b98b6bf5cca89526516d5f350d4797c7c918fcc98cdb552989e73c9414132f7a

Formbook

exe bfeb54e5c139165386b0a468366c012d13562376cc4a82f3cd7d69723fee96a0

(this sample)

Dropped by

MD5 b360dba65fd6d4a96ba1527fb445a6ef

Dropped by

SHA256 b98b6bf5cca89526516d5f350d4797c7c918fcc98cdb552989e73c9414132f7a

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/115628/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample