MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116
SHA3-384 hash:	42702e5e246b73691a2f59052b05a27f91f89618eee978ce7c666c56cd8298859736aee7bb46b22156f2f68620c03a3a
SHA1 hash:	aadcd581a67a156815e8949368ef6e781c4c4541
MD5 hash:	35ef7e017d305356311017e4d06068db
humanhash:	table-oscar-fruit-texas
File name:	SecuriteInfo.com.Gen.Variant.Barys.126731.13854.30465
Download:	download sample
Signature	Formbook Create hunting rule
File size:	219'961 bytes
First seen:	2021-07-07 01:39:22 UTC
Last seen:	2021-07-07 12:58:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (291 x GuLoader, 50 x VIPKeylogger, 48 x RemcosRAT)
ssdeep	6144:xMm4CCAEmPcxTWr4UaxafbtTmW+SDzY8zboGNTsvnZ:xMwRNrW0fxTmWFDcsoGd4Z
Threatray	6'202 similar samples on MalwareBazaar
TLSH	AE24128133A1C96BD9E317710BB367A66BE4DA171864430F37E06F0D7936F82D91E682
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Gen.Variant.Barys.126731.13854.30465

Verdict:

Malicious activity

Analysis date:

2021-07-07 01:45:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/32e94f86-0cf6-4e87-ae7a-82234a568a51

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Gen.Variant.Barys.126731.13854.30465.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb4da52b-332a-4c8d-b303-5a22e5f2ff9e

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/812626

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-07-07 00:35:31 UTC

AV detection:

20 of 46 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=24ps336t4oveq2lwqgttfkgfz2g7ovdzwzmvhorqmpqcr7b5sela._file

Verdict:

malicious

Label(s):

formbook

Formbook

19fea0b558bc85df1bec0bd5a086fd2678767117999762731b0f6fe15e1c590a

Formbook

36262c0543ba3fb3354a3786c2fbaba5e3a407678caf077bc6a99d5795fc73f0

Formbook

53cd0bb46c1d8aa4dc128569b2c2b2b13f0d4a1357e464e5eec019a7f11195d6

Formbook

932d535ab92b682eff0f74322211abd760021a9003d18b953e7226a6ebc38902

Formbook

9b9218d3692f38654cde45d5a9b01a6d5cb83aa5442c286fc4e073a6348e08d1

Formbook

d654d8728cd5b7c24ac8b82f7fbc6e7429b46fdb57bb384534242ca4e5a5043a

Formbook

e242d70710f47daf819f4dec74264d265efd80a1aa12eec27c0ac20715670923

Formbook

f49cfcb35472df4416a15ef2fdb156eef71e8b483d39811c19ed61d804af1da4

Formbook

fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543

Formbook

+ 6'192 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210707-kz6a91llr2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Unpacked files

SH256 hash:

e7371b456ec6d9f6610d6cc4427d3d5c79f3758c66578563b729833ae5a88968

MD5 hash:

08b0b91e3be4ef57fcd992d8beb6bf30

SHA1 hash:

a8c5fb06f89f598955eccdeb9d7bd8a0fd564095

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3a70ebf3-a839-4ba6-ba4a-044ef43be9af/

Parent samples :

d654d8728cd5b7c24ac8b82f7fbc6e7429b46fdb57bb384534242ca4e5a5043a
f49cfcb35472df4416a15ef2fdb156eef71e8b483d39811c19ed61d804af1da4
36262c0543ba3fb3354a3786c2fbaba5e3a407678caf077bc6a99d5795fc73f0
d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116
21293dba237b25dfdbafe677d095c40a4590c0b16fa5f22728b768394aa1ee0c

SH256 hash:

7c07fbd06c9c5f6cd9f124641c2ec7af04e69e7b94ec9a4fc4c1c9ff3e058ddf

MD5 hash:

d885db1ad58bf621bfce465a9aabc5a8

SHA1 hash:

5fd69ae1cd43ec7a0db053417a8cf4ee9e708ce8

Link:

https://www.unpac.me/results/3a70ebf3-a839-4ba6-ba4a-044ef43be9af/

SH256 hash:

d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116

MD5 hash:

35ef7e017d305356311017e4d06068db

SHA1 hash:

aadcd581a67a156815e8949368ef6e781c4c4541

Link:

https://www.unpac.me/results/3a70ebf3-a839-4ba6-ba4a-044ef43be9af/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/d71f2defd3e3aa48697681a732a8c5ce8df75479b65953ba3063e028fc3d9116

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample