MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53fe06c8384e535b2dcf3c96a7fd724ecf48ee3f3b9060750ff309ddea39758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d53fe06c8384e535b2dcf3c96a7fd724ecf48ee3f3b9060750ff309ddea39758
SHA3-384 hash: fb2a5851ec2e269391817e247e510d15d632979b316326e29e2b46ba4492f2d5835c176a636134b198d2f775050d0a5a
SHA1 hash: 300b25190439b5a8f865350bc5c72cd2d1b790df
MD5 hash: 396e48ab8ea9e0d607ff13b16cf5477d
humanhash: pluto-potato-emma-pizza
File name:396e48ab8ea9e0d607ff13b16cf5477d.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:363'520 bytes
First seen:2021-09-03 12:50:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:U6mw8sOboroe9xWpo3VVERiDgCAEAJynendhjQf+NA:WwSkP9Upo34VTQne/UmNA
Threatray 7'739 similar samples on MalwareBazaar
TLSH T19574E00627D60778D5BC9B706778A0A403F8F22B9632F7AE2D8452EACF51F099641773
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
396e48ab8ea9e0d607ff13b16cf5477d.exe
Verdict:
Malicious activity
Analysis date:
2021-09-03 12:56:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe11cbd4-ccf8-4159-8739-2986df11e83c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185178/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.25640.931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa20d43a-201d-42e2-850a-2dd0faaa30c8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844833
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477261 Sample: Jr2g09G2Ko.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 30 clientconfig.passport.net 2->30 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 7 other signatures 2->56 10 Jr2g09G2Ko.exe 15 3 2->10         started        signatures3 process4 dnsIp5 38 pastebin.pl 168.119.93.163, 443, 49709 HETZNER-ASDE Germany 10->38 28 C:\Users\user\AppData\...\Jr2g09G2Ko.exe.log, ASCII 10->28 dropped 58 Uses ipconfig to lookup or modify the Windows network settings 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->62 64 Injects a PE file into a foreign processes 10->64 15 Jr2g09G2Ko.exe 10->15         started        file6 signatures7 process8 signatures9 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 ipconfig.exe 15->18         started        21 explorer.exe 15->21 injected process10 dnsIp11 40 Self deletion via cmd delete 18->40 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Tries to detect virtualization through RDTSC time measurements 18->46 24 cmd.exe 1 18->24         started        32 www.yellowmerch.com 21->32 34 www.quarnettapope.com 21->34 36 2 other IPs or domains 21->36 48 System process connects to network (likely due to code injection or exploit) 21->48 signatures12 process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d53fe06c8384e535b2dcf3c96a7fd724ecf48ee3f3b9060750ff309ddea39758/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 12:51:14 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2u76a3edqtstlmw46pewu76xetwpjdxd6o4qmb2q74yj3xvds5ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0655ee712ee939add7c23e011eb887fe70f085e1fea6df1dbeb07bc8df7ffdb7
Formbook
0dbc727b9b089ce71ec32623629e0b3ceae94285d1588ac4580c9d987b1c4e09
Formbook
19a2416e9e5991c181bfaedbd6c31b05d8d2a2b27a4eb78c804a954fbc45353f
Formbook
311c2667d094e51f0ad2596333a243ca6296d25c07223abf95af0256ed7aeb97
Formbook
6e71e82dcb056af810baae26909b712ec2dc1610bbf8ebbee00b62f9bb2b3189
Formbook
9da4d8126ac0c4c0b68066407e24cf1a36e06f0fc22ef87b0a464f90c1374095
Formbook
da7eff90633f82c14d128a573e55c95694fa567bd983438f6e4080db739ab55d
Formbook
+ 7'729 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hh3t rat spyware stealer trojan
Link:
https://tria.ge/reports/210903-p3kztadaf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.demo-berlin.info/hh3t/
Unpacked files
SH256 hash:
d53fe06c8384e535b2dcf3c96a7fd724ecf48ee3f3b9060750ff309ddea39758
MD5 hash:
396e48ab8ea9e0d607ff13b16cf5477d
SHA1 hash:
300b25190439b5a8f865350bc5c72cd2d1b790df
Link:
https://www.unpac.me/results/c775a6fd-ff96-4773-8636-370129389d32/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d53fe06c8384/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/d53fe06c8384e535b2dcf3c96a7fd724ecf48ee3f3b9060750ff309ddea39758

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d53fe06c8384e535b2dcf3c96a7fd724ecf48ee3f3b9060750ff309ddea39758

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1588345/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185178/

Comments