MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6
SHA3-384 hash:	1b2c48480afdebf9e07ef6f6f6867e57f078f16436f068b52b52c8dd358bc8e02fc7e35122bc61ff53ab7dddafcdb434
SHA1 hash:	9aaa3841471cdf38ee047f73cfabd2929443a7df
MD5 hash:	2ba1022a54bbea2f9f692bca6db317b7
humanhash:	beryllium-leopard-red-pluto
File name:	SecuriteInfo.com.Trojan.Siggen12.35942.15823.6948
Download:	download sample
Signature	Formbook Create hunting rule
File size:	473'088 bytes
First seen:	2021-03-12 19:35:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:mcN16VUF15I5hidf0vDbblDPBrT2i5QGVv6p:mc8O15IsdcvDbb1PBXs
Threatray	393 similar samples on MalwareBazaar
TLSH	72A4F010A9AAA331EBA477F45917DABC1BB47D66D133D75C0CC2BCCB3661F0A4980A17
Reporter	SecuriteInfoCom
Tags:	FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Proforma inv.doc

Verdict:

Malicious activity

Analysis date:

2021-03-12 16:06:57 UTC

Tags:

exploit CVE-2017-11882 trojan formbook stealer

Link:

https://app.any.run/tasks/a845a1b5-e929-4815-ac49-c50c48878855

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/123995/

Detection(s):

SecuriteInfo.com.Trojan.Siggen12.35942.15823.6948.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/638225

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-12 19:30:18 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

unknown

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader rat

Link:

https://tria.ge/reports/210312-1r571t9fyj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Xloader Payload

Xloader

Malware Config

C2 Extraction:

http://www.communityredport.com/amis/

Unpacked files

SH256 hash:

b80f59f6d4ba223f112870e87a8ff778ea2df913662051e1fa6077173122d344

MD5 hash:

e164f5a936eada5ec4f4262f4110fb0c

SHA1 hash:

c0d229cda01dcc1363eccb933e978c503d6c168d

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/4e7abc40-1ce4-4f57-afdf-2658e4ecb5ee/

Parent samples :

bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6
65a4584854c63766fd7d2cfeb5b7725ff8ae8b489d940c7b910c0909fd473947

SH256 hash:

ec9b7ee256438e822efb51ea43ebec8f05b3ea397c3b6cdc5ba0c5ed2c70da57

MD5 hash:

081cceda471be984a9ecc22a97938650

SHA1 hash:

f66c67976264d57d41c1ed61e22023127d206244

Link:

https://www.unpac.me/results/4e7abc40-1ce4-4f57-afdf-2658e4ecb5ee/

SH256 hash:

1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc

MD5 hash:

8f85df46a482b5b068ae7667bf1a33d6

SHA1 hash:

a210d369311aa4d709dc962c634174738576907e

Link:

https://www.unpac.me/results/4e7abc40-1ce4-4f57-afdf-2658e4ecb5ee/

SH256 hash:

bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6

MD5 hash:

2ba1022a54bbea2f9f692bca6db317b7

SHA1 hash:

9aaa3841471cdf38ee047f73cfabd2929443a7df

Link:

https://www.unpac.me/results/4e7abc40-1ce4-4f57-afdf-2658e4ecb5ee/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe bff2044c8918a627b0d8f6743c0c0aa847d26902ddce396c54613ac5679d27a6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1063541/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/123995/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample