MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
SHA3-384 hash: 7f1ad5171daf5d7c6b5686e537d7415521e3b3e84d98a5ba43619596588c3d713f37c49574a6f64d85d0395c2e677965
SHA1 hash: c11f5484af3e4d8e34c35a7b7363078b0f23e079
MD5 hash: 183a8b19a056c944237876bea31a697c
humanhash: pasta-one-lima-floor
File name:pdf.FOB Bander Abbas Basis and CIF Sheikh bilal basit.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:965'120 bytes
First seen:2021-10-04 10:11:14 UTC
Last seen:2021-10-04 11:14:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GO4jeQ5jsruJH+ReJqvqfLRXwK4+HNONnvsyl9vai2K046Mnq0UnsO5lJkKzUvoc:XHBQLW10ergut8+VuRHPXWMj
Threatray 9'859 similar samples on MalwareBazaar
TLSH T1BB251A9053CB9EC0F47B6334B0111CE7A6FE660EF379CA1569963AC78DB6B40461DB88
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pdf.FOB Bander Abbas Basis and CIF Sheikh bilal basit.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 10:12:38 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/bf11f7c5-fe99-449e-9d18-39f6fb123be9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194527/
Detection(s):
SecuriteInfo.com.Artemis183A8B19A056.23111.9414.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c0f45e3d213d202b76ef0/reports/ca07a8d8-12b8-4354-b213-90356c746cc4/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d892dfa-ca1f-479a-b23a-fec540015ef5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863880
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 496308 Sample: pdf.FOB Bander Abbas Basis ... Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 37 www.ioqoqoquyi.xyz 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 9 other signatures 2->45 11 pdf.FOB Bander Abbas Basis and CIF Sheikh bilal basit.exe 6 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\VKyccEisJ.exe, PE32 11->31 dropped 33 C:\Users\user\AppData\Local\Temp\tmp25E.tmp, XML 11->33 dropped 35 pdf.FOB Bander Abb...bilal basit.exe.log, ASCII 11->35 dropped 55 Injects a PE file into a foreign processes 11->55 15 pdf.FOB Bander Abbas Basis and CIF Sheikh bilal basit.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 20 explorer.exe 15->20 injected 22 conhost.exe 18->22         started        process9 process10 24 msdt.exe 20->24         started        signatures11 47 Self deletion via cmd delete 24->47 49 Modifies the context of a thread in another process (thread injection) 24->49 51 Maps a DLL or memory area into another process 24->51 53 Tries to detect virtualization through RDTSC time measurements 24->53 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 04:18:47 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fj6rnkcsy5jzgxd7kleehzoylcxpf2z2cqin42uln7jzeihir3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543
Formbook
82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886
Formbook
8898f85efa9e25992b6e00da2b7d3338649ebf89d26a92b9bf156618960f5466
Formbook
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Formbook
9c1d6191badf084113871feba0049fac8a2bb5761136877383579cdcf7cd781a
Formbook
9dac57302e2261a1a3c6a665d3960525b27fb70a1fd6b1e135a3e72f11c6f3e6
Formbook
a3703cc485d2a99cfec122203ed2d7dd83274af8bd0b3bcfab3fd590dd5c308c
Formbook
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
Formbook
e3ccade6f4b9accc6cffa813b88862d68f78f0f1c601a57d0573e60deea6a370
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
+ 9'849 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:rf3t rat spyware stealer trojan
Link:
https://tria.ge/reports/211004-l8jr6agbb3/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.logjed063.xyz/rf3t/
Unpacked files
SH256 hash:
ed390c88a5380c622d6e91cee3e851a7b0a1e5bfccdd3fc1310bd55f412178f3
MD5 hash:
c49d40107c34a4169b3bb7e2d25edf77
SHA1 hash:
8764208918c33670f3eaa2e2f9f54eb1b55f48f8
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e190aea0-1427-4d66-a2cc-efae54129a85/
Parent samples :
d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
3f1f0dce8eb0b1a98912a8c08208c5d4425e013e20719aca1d14ca4924f841c6
d733031bac48ebb66a6a12347c3fa50852da1023486f591679043ef07c9cad7c
8758c8727fc2f359daee8f056460f3353bd807cc591000570b97358b2c914c96
32b793817b07a78490aa882218fb2880723c7ba23381545a2d7facfe0cacf4c1
SH256 hash:
6452ac3ea0e0edb77f5847c796e784cb2c731b85f72107b0308b1d1b28c34c45
MD5 hash:
7e7389c3c242df8807e594942caa14d8
SHA1 hash:
cde9732584ac323e6ec47507c0f59d84986ddc66
Link:
https://www.unpac.me/results/e190aea0-1427-4d66-a2cc-efae54129a85/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/e190aea0-1427-4d66-a2cc-efae54129a85/
SH256 hash:
d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476
MD5 hash:
183a8b19a056c944237876bea31a697c
SHA1 hash:
c11f5484af3e4d8e34c35a7b7363078b0f23e079
Link:
https://www.unpac.me/results/e190aea0-1427-4d66-a2cc-efae54129a85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d153e8b542963a9c9ae3fa96421f2ec2c5779759d0a086f3545b7e9c91074476

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194527/

Comments