MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d61855932c47e33b7adc0a49bca84227fdd325f35a35b8fbd76e8d9e401e4342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d61855932c47e33b7adc0a49bca84227fdd325f35a35b8fbd76e8d9e401e4342
SHA3-384 hash: 316eed724adc2f1e16ea4107148369c5d0a9c8914f8b1802f18a75e9f4ba271415f4dc71b43a7d1c0fdead84c977d0b6
SHA1 hash: 1fdc5efe5c3ec91ab9bf7db200bb7e5a4bf33b45
MD5 hash: c9ea1730cb2a37cfcf92ed5d0b993925
humanhash: robin-mountain-steak-william
File name:c9ea1730cb2a37cfcf92ed5d0b993925
Download: download sample
Signature Formbook
Create hunting rule
File size:2'207'232 bytes
First seen:2022-11-18 02:34:00 UTC
Last seen:2022-11-18 05:37:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:rjZ8llW0Cb1CSxCy3sW4ivY+EnBhGhF3ltGdwtDU:rOllWD5PcyRvxu+hrZU
Threatray 20'138 similar samples on MalwareBazaar
TLSH T130A5D1286D7F11DD464CBF5E8CB0C02E0A2D1586EF700CBCA6716DAB9A2AE4FDD19D14
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4d4d8e0f8c272b23 (5 x AgentTesla, 1 x Formbook, 1 x QuasarRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c9ea1730cb2a37cfcf92ed5d0b993925
Verdict:
Malicious activity
Analysis date:
2022-11-18 02:36:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae136f97-4462-4e8e-a427-e3296c43a933

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335603/
Detection(s):
SecuriteInfo.com.FileRepMalware.18916.28359.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6376ef1c6fda73cab64e47e3/reports/5ac13496-e074-4f8d-b880-d1f7f41abd8c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/45d8fd1a-8bf5-43c0-bf55-0ea18bc11cc1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1116240
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 748949 Sample: gIhz76aLxF.exe Startdate: 18/11/2022 Architecture: WINDOWS Score: 100 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 4 other signatures 2->96 10 gIhz76aLxF.exe 1 8 2->10         started        process3 file4 70 C:\Users\user\AppData\...\Rgwmvlqe.exe, PE32 10->70 dropped 72 C:\Users\user\...\Mwdrpefpqabomplzexcu.exe, PE32 10->72 dropped 74 C:\Users\...\Rgwmvlqe.exe:Zone.Identifier, ASCII 10->74 dropped 76 C:\Users\user\AppData\...\gIhz76aLxF.exe.log, ASCII 10->76 dropped 104 Encrypted powershell cmdline option found 10->104 106 Tries to detect virtualization through RDTSC time measurements 10->106 108 Injects a PE file into a foreign processes 10->108 14 gIhz76aLxF.exe 10->14         started        17 Mwdrpefpqabomplzexcu.exe 15 3 10->17         started        20 cmd.exe 1 10->20         started        22 2 other processes 10->22 signatures5 process6 dnsIp7 110 Maps a DLL or memory area into another process 14->110 24 explorer.exe 14->24 injected 78 185.246.220.65, 49698, 80 LVLT-10753US Germany 17->78 112 Machine Learning detection for dropped file 17->112 114 Encrypted powershell cmdline option found 17->114 26 cmd.exe 1 17->26         started        28 powershell.exe 17->28         started        116 Uses ping.exe to check the status of other devices and networks 20->116 30 PING.EXE 1 20->30         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        signatures8 process9 dnsIp10 37 Rgwmvlqe.exe 3 24->37         started        40 Rgwmvlqe.exe 24->40         started        42 PING.EXE 1 26->42         started        45 conhost.exe 26->45         started        47 conhost.exe 28->47         started        88 google.com 142.250.186.142 GOOGLEUS United States 30->88 process11 dnsIp12 98 Multi AV Scanner detection for dropped file 37->98 100 Machine Learning detection for dropped file 37->100 102 Encrypted powershell cmdline option found 37->102 49 cmd.exe 37->49         started        51 powershell.exe 37->51         started        53 cmd.exe 40->53         started        55 powershell.exe 40->55         started        84 192.168.2.1 unknown unknown 42->84 86 google.com 42->86 signatures13 process14 process15 57 PING.EXE 49->57         started        60 conhost.exe 49->60         started        62 conhost.exe 51->62         started        64 PING.EXE 53->64         started        66 conhost.exe 53->66         started        68 conhost.exe 55->68         started        dnsIp16 80 google.com 57->80 82 google.com 64->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d61855932c47e33b7adc0a49bca84227fdd325f35a35b8fbd76e8d9e401e4342/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 02:35:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
14 of 26 (53.85%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ymflezmi7rtw6w4bje3zkcce765gjptli23r66xn2gz4qa6inba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
masslogger
Create hunting rule
Similar samples:
196d459218ededd3243bbc504997f841aab0334ff68dc04f904b72a8bbeefcbb
Formbook
53d558b2f939bfce7dc3b9d6fdf0cfd92d966bcc7c3cb38e9a0171ef6f778a03
Formbook
53eb76297163535c2a9bbeb440c94f6811edc9b98fa30a4ecadac4be53805906
Formbook
71dcb6b22366d8b555334f2a381b3844df412e0b3b377420e7843f473726ff27
Formbook
76100dfb233e983c0190d55c224751945576e7d607f0db1c574876fd8302a6e4
Formbook
9d19e3dafa5104b8ad7bb8fc7657e085d47dc0f9bdac334fed5c9896c1003204
Formbook
e8ea13799fe43f6e41e65740f5c4411d534ac481c07d167197f5edb95200add1
Formbook
f90cae8d2f230d52a461faf67dd818065329eb8cac4c241734a3f224eee1c531
Formbook
ff25677389d599682cc411460963f6adbff3879c2f2d3d7239312acfd57f42fe
Formbook
+ 20'128 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:nurs persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221118-c2e1ysgd32/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook payload
Formbook
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7cfa9403-8d4f-480c-9732-8b1e4badae63
Unpacked files
SH256 hash:
5eb8e70e90b7b81874f1192cdce6e4b0c9c36598021c78d3a7220e37e3387b93
MD5 hash:
77740979a54b9c1e279181ee8e608547
SHA1 hash:
0cb8998377412256245536e270b3f76150ebadf5
Link:
https://www.unpac.me/results/08178d0a-1d71-44ba-860f-ed100451eccd/
SH256 hash:
d61855932c47e33b7adc0a49bca84227fdd325f35a35b8fbd76e8d9e401e4342
MD5 hash:
c9ea1730cb2a37cfcf92ed5d0b993925
SHA1 hash:
1fdc5efe5c3ec91ab9bf7db200bb7e5a4bf33b45
Link:
https://www.unpac.me/results/08178d0a-1d71-44ba-860f-ed100451eccd/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d61855932c47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d61855932c47e33b7adc0a49bca84227fdd325f35a35b8fbd76e8d9e401e4342

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425178/
Cape
Cape
https://www.capesandbox.com/analysis/335603/

Comments


Avatar
zbet commented on 2022-11-18 02:34:08 UTC

url : hxxp://185.246.220.65/lee/IMG_56766900.exe