MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9
SHA3-384 hash: ce9b32d3a31ee1e6c06603279362b5925e45cd6fef044eacd851563a00427dea38047cdc4dabd3c79d37283674bafabb
SHA1 hash: d36634b9ad1fb1ae9f851005572702cad96823af
MD5 hash: 97221305ce5f05743f46f1998db359ba
humanhash: fish-triple-eight-east
File name:dddddsdsdssds.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:253'440 bytes
First seen:2022-01-18 15:39:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:R7W0gEFovhf3vz3evqLMOUI5x9oWCoMqPoJ8L:R7BvY3ruvq4xI5x9BCsP
Threatray 12'725 similar samples on MalwareBazaar
TLSH T170440202D1C30297F52A06B3B5939BC3AFB4914D5DD18B4AA8DC316D0D9F68AB847ECD
File icon (PE):PE icon
dhash icon 550959654d651945 (37 x Formbook, 28 x AgentTesla, 14 x RemcosRAT)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dddddsdsdssds.exe
Verdict:
Malicious activity
Analysis date:
2022-01-19 02:24:43 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/fcd82697-dfe4-458e-97a9-1e1ffff5aaeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220244/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Launching cmd.exe command interpreter
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61e6df5dd32385db63028116/reports/b60d5f28-9f63-405b-8d41-a1c97837bbed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/025183e1-0df7-4b28-82cd-a7946e514717
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922553
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 555030 Sample: dddddsdsdssds.exe Startdate: 18/01/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 4 other signatures 2->50 10 dddddsdsdssds.exe 1 2->10         started        14 explorer.exe 2->14         started        process3 file4 32 C:\Users\user\...\dddddsdsdssds.exe.log, ASCII 10->32 dropped 60 Detected unpacking (overwrites its own PE header) 10->60 62 Writes to foreign memory regions 10->62 64 Allocates memory in foreign processes 10->64 66 Injects a PE file into a foreign processes 10->66 16 CasPol.exe 10->16         started        signatures5 process6 signatures7 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Sample uses process hollowing technique 16->40 42 2 other signatures 16->42 19 explorer.exe 16->19 injected process8 signatures9 52 Uses netsh to modify the Windows network and firewall settings 19->52 22 netsh.exe 19->22         started        process10 signatures11 54 Modifies the context of a thread in another process (thread injection) 22->54 56 Maps a DLL or memory area into another process 22->56 58 Tries to detect virtualization through RDTSC time measurements 22->58 25 explorer.exe 2 154 22->25         started        28 cmd.exe 1 22->28         started        process12 dnsIp13 34 192.168.2.1 unknown unknown 25->34 30 conhost.exe 28->30         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 15:40:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
36b986f7d277f114be1166140b08a4ddb6300274d6365ea589fe129105445de7
Formbook
6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e
Formbook
75e51d5e7662ad2c7ee23822ebf5246ce2d3257734ef87883f57bbcffe13c5d2
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef
Formbook
d277fc7f7001598fc7730b3bfec96ce2749f616d64fe20bcd403a599b1bc7c2c
Formbook
d36d73e78b048c34b8ed4b2c1035f27c0c1857ae8eb5f1167942981139138b35
Formbook
d89ceaf1e34dd42cef063ecb6b8e219479f276c6cc30e2ab6ae8c881a8d60633
Formbook
f75fa96a8fe88dc2fffd64208705d26fb980db33afff6b872f34e1f9034e0363
Formbook
+ 12'715 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:be4o loader rat suricata
Link:
https://tria.ge/reports/220118-s38yesbhhq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
8448cb26bbc12696f55012c7eb202518408cd0b4d7782aa3ef5bd25b0a5a6e86
MD5 hash:
06e0b802ddfced9bd00661c179e55f55
SHA1 hash:
14a90bca64fb347856c1f1f68bc77bb87d22852b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f6861f3-987f-434f-be1b-13aae8d20e9b/
Parent samples :
b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef
cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9
6893bbff4695dce3754071670e11d7e7d310ad196b57cdb41cd8c3cd7ea3d8f3
3b8a5b17925c115df3673e81b408684a6199b9dc6e715810a43444d297c5089d
SH256 hash:
25087793f228437ffc9eeb4100de8ed5d2a65546a5b952b900856b80e2f1c81c
MD5 hash:
4bf2f49f3f4d28cc46e90e203030130b
SHA1 hash:
c07b611b1b6d3b6b1b8e04d57b1f2bf643f42ead
Link:
https://www.unpac.me/results/2f6861f3-987f-434f-be1b-13aae8d20e9b/
SH256 hash:
22113aa70b4ae3e4c8e37c8d0b3a70fc7f685dbca370d43d4a463bf209b0b41d
MD5 hash:
4f4ef3d24b9ac18dd304708f07708c3d
SHA1 hash:
13d33623691a8a415672f1a889ec5e2649298421
Link:
https://www.unpac.me/results/2f6861f3-987f-434f-be1b-13aae8d20e9b/
SH256 hash:
cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9
MD5 hash:
97221305ce5f05743f46f1998db359ba
SHA1 hash:
d36634b9ad1fb1ae9f851005572702cad96823af
Link:
https://www.unpac.me/results/2f6861f3-987f-434f-be1b-13aae8d20e9b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cb51f3c16fbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe cb51f3c16fbd5864ed8b436c89600948cdc76e2c0bf84aca221992f405a77eb9

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/220244/
  
URLhaus
https://urlhaus.abuse.ch/url/1986872/

Comments