MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c
SHA3-384 hash:	5937a6f6348c8d680064be6831993dd9fee5d4b90e51598ef01556e559ee3b57f0b26194e572322cf2b474634a20ce63
SHA1 hash:	2eafec60349d9a3cefd12e031f2597ca21c279b3
MD5 hash:	faa85d608853f8f467909b19eac68daa
humanhash:	earth-paris-jersey-timing
File name:	PI.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	234'546 bytes
First seen:	2021-05-05 12:55:36 UTC
Last seen:	2021-05-05 13:30:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep	6144:lPXZ2TKEpcsoiOI9Vs8XinYF5Fly7uSvcDkAhqwZ9ONl+iSov:T2+EpcPlaVs0inYF7MPcDhqt8Q
Threatray	5'031 similar samples on MalwareBazaar
TLSH	E734129759E0D8B7C7E603B20D761792DFFAD60624BAB78B47301F6A3B192C2901E143
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/150604/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.15528.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Sending a UDP request

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-05 12:56:09 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y64dli4pcpayguf2su5i6v7yzefcg6aeyn33umww7uqs3kqi5gga._file

Verdict:

malicious

Formbook

2a7a9c6d4505766ddf0a6c7dde9c2ae52369408fbe5ce93d0d3d76bf992b28dd

Formbook

4fe5115259b2c032f03275273349549ab896959c818d771a4ad755ce64866379

Formbook

5fef6e5e702f6ac33542c50d34d3054d1b957c3afd5dffc8fbeaa81d82fdf562

Formbook

7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b

Formbook

7f81bdd235dca279812a46cec7f585bde9d681906dba1398e8ac86dfc877d079

Formbook

851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376

Formbook

a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051

Formbook

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

Formbook

dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512

Formbook

+ 5'021 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210505-x7elgrvm5e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.knighttechinca.com/dxe/

Unpacked files

SH256 hash:

a4361c7bf7b9859df0b622ee7c421c216cc036b910e70861f107d487e257c162

MD5 hash:

d7b3e7bbb1ba396ae0a092b5dc4b9ed4

SHA1 hash:

1af08aca3583c37cd83c23c4b1f0eafb477c48b0

Link:

https://www.unpac.me/results/112ca136-6c53-4df6-9e9a-472e30192095/

SH256 hash:

c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

MD5 hash:

faa85d608853f8f467909b19eac68daa

SHA1 hash:

2eafec60349d9a3cefd12e031f2597ca21c279b3

Link:

https://www.unpac.me/results/112ca136-6c53-4df6-9e9a-472e30192095/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150604/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample