MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672
SHA3-384 hash: 7d2e13ff964c4227aa43b06a31a131414aae1755add32ae39eb85d3f7db1cc8070b405f064473254bed56f762db075ea
SHA1 hash: b00e78d628b02e4c858436cbe361299d32e9152f
MD5 hash: 39395b0b94607e228a77fbd84e92beb3
humanhash: ack-mexico-stairway-four
File name:ordine
Download: download sample
Signature Formbook
Create hunting rule
File size:3'936'256 bytes
First seen:2020-12-11 11:30:38 UTC
Last seen:2020-12-11 13:36:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:MYc6SfZWWyYbqTlEKUJWWHNDK/PHXJNq4bODzch5BO+gufgj:MYc6SfZWWyYbqTFZiDK/vJNTOzwvO+g5
Threatray 3'166 similar samples on MalwareBazaar
TLSH 4D069D42AB118BD0E9E1B2BF0655B51D53F1F4D7BB82D24A2F0A8DF550A30C1BA4DB9C
Reporter JAMESWT_WT
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
g.exe
Verdict:
Malicious activity
Analysis date:
2020-12-10 11:37:59 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/4180b1ee-231f-454d-a892-50864c3452f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107743/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.54822.31484.19426.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/561514
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 329841 Sample: ordine Startdate: 13/12/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected FormBook 2->40 42 4 other signatures 2->42 10 ordine.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\ordine.exe.log, ASCII 10->28 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->52 14 mscorsvw.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 2 other signatures 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.luxusgrotte.com 217.160.0.171, 49753, 80 ONEANDONE-ASBrauerstrasse48DE Germany 17->30 32 www.zoommedicaremeetings.com 192.64.119.149, 49756, 80 NAMECHEAP-NETUS United States 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 systray.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 09:21:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=22nx7cr2kdttk6tu7ntroq6frog3i3z7ltdlden2mnxlgoqwczza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
4e98a7f7084a5fa80d8e1dd45e8b8f8a1f9fc891d223cc265524cfcfe3c57c0b
Formbook
4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558
Formbook
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
Formbook
80f733776515fd3c59c8be1c08bbbb9a257b02bbb2c9228c0a8831f846562508
Formbook
bbb95e154a42908b2bbb1797d8b6178343b7c084158183f628b5c4bf3fe5ac7d
Formbook
d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
Formbook
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
Formbook
fe0ec12b661e1ffaa00bb79f06c7478e37beb2437ecbbb85e7d149b53ac79111
Formbook
+ 3'156 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201211-qv3xntthrn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.registeredagentfirm.com/jqc/
Unpacked files
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/52c8821a-85fd-4c74-aa32-e479f5da8be4/
SH256 hash:
9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037
MD5 hash:
6e53bc3c0364eefd1d448d25e026975d
SHA1 hash:
f11ea87b0638531f442b113feb19dbaae81ad518
Link:
https://www.unpac.me/results/52c8821a-85fd-4c74-aa32-e479f5da8be4/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/52c8821a-85fd-4c74-aa32-e479f5da8be4/
SH256 hash:
d8dad4f2876c2fbf8cc4e826910b4cf5975bad5c053aa0c5746eb692c4765737
MD5 hash:
b8342f3982ebd8a24144daa6b5e0df8a
SHA1 hash:
d284aabefad8efe52cabcbb475d14e184c49c15b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/52c8821a-85fd-4c74-aa32-e479f5da8be4/
Parent samples :
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558
d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672
d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
SH256 hash:
d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672
MD5 hash:
39395b0b94607e228a77fbd84e92beb3
SHA1 hash:
b00e78d628b02e4c858436cbe361299d32e9152f
Link:
https://www.unpac.me/results/52c8821a-85fd-4c74-aa32-e479f5da8be4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/107743/

Comments