MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0d6b8f342215efb1adba27088bb7f6dfe14dd3734612aecf1124b121c3a7cc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	d0d6b8f342215efb1adba27088bb7f6dfe14dd3734612aecf1124b121c3a7cc6
SHA3-384 hash:	ede7d8ec033029d4498a8a7f489ef2eeb3f488ce9b2ba61ff84a6864e8eb821b15e49d11e3920cd844a638aeff5fbabb
SHA1 hash:	478395fa117971afba2409e28128459ab5b305c1
MD5 hash:	c7e7c22a48b13be1eeb715145ba95325
humanhash:	minnesota-delta-moon-chicken
File name:	c7e7c22a48b13be1eeb715145ba95325.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'039'360 bytes
First seen:	2022-03-22 19:00:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	24576:voh8+lGIfLG0FC9tzJp/XgdBJEE0BOoXS/j/tLK0:vohkIfLG0FC9ttpwBJX0BOo6Y
Threatray	14'425 similar samples on MalwareBazaar
TLSH	T14025238223B88973D75E4F398C5262400975C4299A47F34FDAC0B1EA175A3E5A77338F
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://107.173.192.140/120/vbc.exe

Verdict:

Malicious activity

Analysis date:

2022-03-23 11:10:59 UTC

Tags:

opendir loader

Link:

https://app.any.run/tasks/f9c2d5c2-19f0-47f2-9244-5218ea647b98

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/255100/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1260.12274.17163.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/623a1d0a0cd58dbd92d8c0c0/reports/98ad7225-88d0-4c03-8b6a-e1768aa5b31e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fff27966-7f8e-4aa9-bda6-a4788896863d

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/962061

Behaviour

Behavior Graph:

n/a

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d0d6b8f342215efb1adba27088bb7f6dfe14dd3734612aecf1124b121c3a7cc6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-22 17:13:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0

Formbook

a2d7a6453efd6b8c31af2e225ae7f93064d44fe328b5bb2e530d820e5e6ca5f8

Formbook

a9f8ff439d6cf51c60a5f9bba3653ea480fa72249562e11d6bc03bda8e672f5d

Formbook

c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c

Formbook

daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a

Formbook

db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28

Formbook

f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db

Formbook

+ 14'415 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:a2rs rat spyware stealer trojan

Link:

https://tria.ge/reports/220322-xn824aggb6/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Unpacked files

SH256 hash:

de711978d83654dfd72b45187f161bfa2241f39277b55732bc35428962c40f16

MD5 hash:

5219170b15747107352cacbe41ea5a54

SHA1 hash:

6fb5234a6661bf18e37df2239af4eaf341533779

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5528a6e3-df04-4016-8c79-758ab9a683a2/

Parent samples :

a9f8ff439d6cf51c60a5f9bba3653ea480fa72249562e11d6bc03bda8e672f5d
0488a1801640896ea2e4922dcd03d47bea603db8b938aa2060bd529060ec37fd
d0d6b8f342215efb1adba27088bb7f6dfe14dd3734612aecf1124b121c3a7cc6
7fb0c21777bc2f9b0dd0aa5519eebbe5ec9afa008e67edc2abec7e5c94957a36
bce2bc3a55dfecfd388b134663893b70c3830b20a8afa395e36a28097e305943
cd0c02c985600efee1edc7dcca8808cdf06f3ac1d52427d39c2931d2472caa6a

SH256 hash:

4bb024ac1d994871fc267c509d731b8449032885caac8187be446700901879fd

MD5 hash:

ae6410deceedb4bc31e29a3b91965925

SHA1 hash:

7f6b7f31ee1786c31e0b7979dcbd82c6aa0a4b3b

Link:

https://www.unpac.me/results/5528a6e3-df04-4016-8c79-758ab9a683a2/

SH256 hash:

7ff857e20aff90324a4982ac14d73c1a284b8d42241932a97ab15419395a3c8f

MD5 hash:

f1d88de30ba02867f585ae25f405e1c4

SHA1 hash:

e179ed1aca9cb99ec036805045d6dfcfdc712751

Link:

https://www.unpac.me/results/5528a6e3-df04-4016-8c79-758ab9a683a2/

SH256 hash:

301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b

MD5 hash:

f08268ddb5c1236b947fe2864860fc98

SHA1 hash:

772410110fee00fc53939b94c2f64069fa824cf4

Link:

https://www.unpac.me/results/5528a6e3-df04-4016-8c79-758ab9a683a2/

SH256 hash:

7b77d03cf986229728035358a7dce24cabd56d134f33fe449093c50188a59ecf

MD5 hash:

ca5bb7ca18e6b6b747711d8c3ed344dc

SHA1 hash:

3f141f63d6b145cf29f2c9e1e111abfb52227722

Link:

https://www.unpac.me/results/5528a6e3-df04-4016-8c79-758ab9a683a2/

SH256 hash:

d0d6b8f342215efb1adba27088bb7f6dfe14dd3734612aecf1124b121c3a7cc6

MD5 hash:

c7e7c22a48b13be1eeb715145ba95325

SHA1 hash:

478395fa117971afba2409e28128459ab5b305c1

Link:

https://www.unpac.me/results/5528a6e3-df04-4016-8c79-758ab9a683a2/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d0d6b8f34221/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/d0d6b8f342215efb1adba27088bb7f6dfe14dd3734612aecf1124b121c3a7cc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.