MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4
SHA3-384 hash:	3fd8aa70fde6fb8ff3b200f20d45aa8a531d00cabaf42dd51ef04c33c8b543f1158cd66901568d78cc93d4c00e2eddab
SHA1 hash:	3cb3c9a63cd5ecdd6d165566fa9b51a20ef331f4
MD5 hash:	fb7152e24744c5dcde84318931ca8946
humanhash:	bulldog-island-golf-skylark
File name:	SecuriteInfo.com.Trojan.Siggen14.17233.12511.8065
Download:	download sample
Signature	Formbook Create hunting rule
File size:	587'496 bytes
First seen:	2021-06-30 12:35:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:RR2xZjufhmyKcyx9wOtzh0pTptT3BlNDomsjL8DPD:D2xd2hmjj8OcTnJkpcPD
Threatray	6'072 similar samples on MalwareBazaar
TLSH	A8C4EF52719489B7E2131C7A4C6E92A211D66E605426E41E32AF730F1BF136253FFB2F
Reporter	SecuriteInfoCom
Tags:	exe FormBook philandro Software GmbH signed

Code Signing Certificate

Organisation:	philandro Software GmbH
Issuer:	DigiCert SHA2 Assured ID Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2018-10-24T00:00:00Z
Valid to:	2022-01-05T12:00:00Z
Serial number:	03e9eb4dff67d4f9a554a422d5ed86f3
Intelligence:	7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7cf9ec56f8db42db83d8c7693e86093e983aa70957a7f7f2508b940758b4e842
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Siggen14.17233.12511.8065

Verdict:

Suspicious activity

Analysis date:

2021-06-30 12:44:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/08a183f5-0559-464a-83b6-7003dd04886a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Siggen14.17233.12511.8065.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1d71fe31-6674-428a-a118-3ce94eb34faa

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/809943

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-06-29 19:26:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 46 (56.52%)

Threat level:

2/5

Verdict:

malicious

Label(s):

formbook

Formbook

25839ba93d33dda960d99110ae98f42e89056233264f11d18b65727a79e4bd62

Formbook

3ee6f995f613e6a7e1e55c7a40d710701abead643e0ec9712c7dedb1800be01a

Formbook

4fe5115259b2c032f03275273349549ab896959c818d771a4ad755ce64866379

Formbook

507dbfd6aa22a40c64e153af688a18c03616e3473eee95f5312f6e9b2b3beb5a

Formbook

74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677

Formbook

78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c

Formbook

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

Formbook

e2c0e25768a1b24398536bf921e5e86f9137ecc08e9eba2101fd5213b3ec0fcf

Formbook

e6a0f307c9bec6b31f0002726d75ae3d5ced8ffe3b6fce869fe12b8061f642d8

Formbook

+ 6'062 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210630-s6qwlhelc6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.lifeafterbobby.com/vn3b/

Unpacked files

SH256 hash:

6d54f3836e83aeefc9ee058aea50344fd85d3c10da7a012f0812582400e62917

MD5 hash:

16b33e3efc9e5a487cd2104e06d71c7b

SHA1 hash:

077b40df845596147f79750884845223549e4ef6

Link:

https://www.unpac.me/results/d08d11a4-9889-449e-8687-8e2992b45a85/

SH256 hash:

51db5224c89d2e358d0375c667a129b38f27d107a5f0f5f79969bb9e87f9f9dc

MD5 hash:

74a96868a23f0da046ad07dc5f4fdcea

SHA1 hash:

ec27f7977204304669cb346530df845ed5b91bba

Link:

https://www.unpac.me/results/d08d11a4-9889-449e-8687-8e2992b45a85/

SH256 hash:

3350c0b7d75f7b2856fde6fe546579027f5b20a6dd12fc04a8df047162abcee4

MD5 hash:

6f67a87376019d461ab0953769ce187b

SHA1 hash:

f2ab719f7f8e81f47f859b0e282803f10d3fd341

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/d08d11a4-9889-449e-8687-8e2992b45a85/

Parent samples :

e6a0f307c9bec6b31f0002726d75ae3d5ced8ffe3b6fce869fe12b8061f642d8
23022e88812cff7f0b615fd48b58f0d971f0559d0275380f87eaa3bf195e7e22
e2c0e25768a1b24398536bf921e5e86f9137ecc08e9eba2101fd5213b3ec0fcf
d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4
d38491c76eda29b3135557f28eb4e2fa15ee55d54c15452f9221e82a5b489c5e
14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd
c36fa12719f133f394b113938584b1d693d4741df4e40d34958dcee239ecd153

SH256 hash:

d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4

MD5 hash:

fb7152e24744c5dcde84318931ca8946

SHA1 hash:

3cb3c9a63cd5ecdd6d165566fa9b51a20ef331f4

Link:

https://www.unpac.me/results/d08d11a4-9889-449e-8687-8e2992b45a85/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe d933001638f194baed0596efe53af5dc534ad6f5177aa8aacf2c25188fbdd2f4

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1412961/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample