MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e7564b77139d48cd4a4a89fc18bf2ec9842d73bc653ceb004849ed3c49f216. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0e7564b77139d48cd4a4a89fc18bf2ec9842d73bc653ceb004849ed3c49f216
SHA3-384 hash: 27dd9fcb1997dac04d84d2ab140ba6f45d7418cc5a1f3dc39735feca4b3b684ceb3834223519e44966b75a295c206efe
SHA1 hash: 3c6bec145f5bdeeeb62e70d2183eae7c6c5a7af4
MD5 hash: 956d94a814bcd68fe964a109ff60a5f2
humanhash: nine-delaware-butter-louisiana
File name:nov  objedn vka pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:449'536 bytes
First seen:2021-09-24 08:43:53 UTC
Last seen:2021-09-24 09:54:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:WTLVofGHfcEY7ISvZ8SEwwh4G4zDdoorQH0sTXaItgbOUaLKnCxpQeIr:PGEEYkSvmFM5U0waIGbO/K2ZG
Threatray 9'584 similar samples on MalwareBazaar
TLSH T1E2A4EF4193DCDF9FE3296A7559052C2082A2D3DD22A6DE8AEC4954B13DD629CFB10FC3
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
nov  objedn vka pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 08:44:34 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b74b046e-ff61-4613-b3fc-1384ed68fb02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191111/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.27911.29640.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0755af0c-c5ca-4279-925b-7df895ce74bd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857230
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489661 Sample: nov#U00a0 objedn#U00a0vka pdf.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 11 other signatures 2->48 9 nov#U00a0 objedn#U00a0vka pdf.exe 7 2->9         started        process3 file4 32 C:\Users\user\AppData\Roaming\bRtrrlyF.exe, PE32 9->32 dropped 34 C:\Users\...\bRtrrlyF.exe:Zone.Identifier, ASCII 9->34 dropped 36 C:\Users\user\AppData\Local\...\tmpA7CB.tmp, XML 9->36 dropped 38 C:\...\nov#U00a0 objedn#U00a0vka pdf.exe.log, ASCII 9->38 dropped 58 Writes to foreign memory regions 9->58 60 Allocates memory in foreign processes 9->60 62 Injects a PE file into a foreign processes 9->62 13 RegSvcs.exe 9->13         started        16 RegSvcs.exe 9->16         started        18 schtasks.exe 1 9->18         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 13->64 66 Maps a DLL or memory area into another process 13->66 68 Sample uses process hollowing technique 13->68 70 Queues an APC in another process (thread injection) 13->70 20 colorcpl.exe 13->20         started        23 explorer.exe 13->23 injected 72 Tries to detect virtualization through RDTSC time measurements 16->72 26 conhost.exe 18->26         started        process8 dnsIp9 50 Modifies the context of a thread in another process (thread injection) 20->50 52 Maps a DLL or memory area into another process 20->52 54 Tries to detect virtualization through RDTSC time measurements 20->54 28 cmd.exe 1 20->28         started        40 www.saint-daniel.info 109.70.26.37, 49809, 80 RU-CENTERRU Russian Federation 23->40 56 System process connects to network (likely due to code injection or exploit) 23->56 signatures10 process11 process12 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0e7564b77139d48cd4a4a89fc18bf2ec9842d73bc653ceb004849ed3c49f216/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 08:44:08 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dtvms3xcoourtkkjke7ygf7f3eyilltxrstz2yajbe62pcj6ila._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f83f86907255eadae1caec99da48bd60689e359e40938f12453dcb3093851ad
Formbook
5a153e3107280c9674c3dbfb90c1d328a1d067b87beee49a169e5a10273065f5
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
818b8b831f3c774e034e2794f1eae71f62f5388355916e948b472cfdac7f5508
Formbook
8830d590a0037fa1aadfd805782ab6a64905d5734b8205cd7aac30e9f116ee49
Formbook
9891e59fd137efef706c3d6ba08139d1a6e56ac4c1fe29aad0438848738393af
Formbook
c0447d2efa01433e46c26f66e24b9d35fa30c19c13667dc4867c478b71bb95d5
Formbook
d3b19cf0506617e6ac964656ebfe51f1c3066337b66bfdb48bd31b44ff61e7fb
Formbook
e32906edfa8d988075e6d062f5ea60f7550595eeef8f1d2177d387dc51f67a5c
Formbook
+ 9'574 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mynd rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210924-km727agdcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.dtcu0ng.com/mynd/
Unpacked files
SH256 hash:
196e6ff5648f8a896ea973bee63df86561d3eae446364a755e3a6763009bbf31
MD5 hash:
27be933b22238d68c4cb7b689dcee836
SHA1 hash:
a9ad9e8a33ba0b1b45ab44ba3d6282dd157b5b84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a0f061df-b3ad-4f8b-975b-f5b46844a13a/
Parent samples :
771bd71228626d14e109d6f2153aa3935e02f33b1593fdda42e99f3c0d39c792
d0e7564b77139d48cd4a4a89fc18bf2ec9842d73bc653ceb004849ed3c49f216
ba01aa9cb72e74474273788a5c1d83693c3a504e1aad67bed7515afb40a34101
5c4023944c61d2985cc5c50811481eb3cd64d4e3caba1e4f96d8fcc7adf7c72a
SH256 hash:
2241e105f4d9d02f898d8395a712a1c61bcae5d5cf5e52dc37cccd9a4cbe7bb1
MD5 hash:
36fa916ea33da29b017dc9b363834024
SHA1 hash:
a75acb3c65f0a012f58a4c00b4d0c9eb7bf38da6
Link:
https://www.unpac.me/results/a0f061df-b3ad-4f8b-975b-f5b46844a13a/
SH256 hash:
7f8f1a50883b4b66b7e5f77f5d07e7432662796f8342652cfc4bdbb59caf9d47
MD5 hash:
23d571b6fd21bc1daa93fb7a70df8473
SHA1 hash:
49c06f9fa80d5d5ad9aa28a63db30e79c9a5336f
Link:
https://www.unpac.me/results/a0f061df-b3ad-4f8b-975b-f5b46844a13a/
SH256 hash:
85fc67362e707f924c0fed3d43134e8185ae61c2c1f7dc39130f062cefd119b4
MD5 hash:
2d7f924b2c1a43cb120e2be1fc8a8bd3
SHA1 hash:
2553dae79597a59ff0253b3ab10041a27b484a4d
Link:
https://www.unpac.me/results/a0f061df-b3ad-4f8b-975b-f5b46844a13a/
SH256 hash:
d0e7564b77139d48cd4a4a89fc18bf2ec9842d73bc653ceb004849ed3c49f216
MD5 hash:
956d94a814bcd68fe964a109ff60a5f2
SHA1 hash:
3c6bec145f5bdeeeb62e70d2183eae7c6c5a7af4
Link:
https://www.unpac.me/results/a0f061df-b3ad-4f8b-975b-f5b46844a13a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d0e7564b7713/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0e7564b77139d48cd4a4a89fc18bf2ec9842d73bc653ceb004849ed3c49f216

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191111/

Comments