MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c
SHA3-384 hash: 6c5365fe0336092d550f73c9fb4eb40c9c170904b4daecea6b2745c93a071170e14ab31696f616aca78dae91e934078e
SHA1 hash: ec9c01a19ca2e2e43e6904f9eb572454b9ab44a7
MD5 hash: 788cc78af459f9335e00d9e364c68837
humanhash: wolfram-yankee-river-double
File name:doc783748934334 PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:693'760 bytes
First seen:2021-07-30 02:52:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:le/1717iS/d3482hZ5FcKxDeIoOgtghDOoaLQk+zKQWJSG7g1rik:lI7MS/d3WtxDuOV8oa0FmQWJSGclP
Threatray 7'081 similar samples on MalwareBazaar
TLSH T147E4AE748488DFAADC5C03B4CF8802F42EF15CA6E1B0E5633E857EB1B5B0A15D979786
dhash icon 4549494d4d2b714d (7 x Formbook, 6 x AgentTesla, 3 x NanoCore)
Reporter ankit_anubhav
Tags:exe FormBook


Avatar
ankit_anubhav
original attachment was .iso

Intelligence

File Origin
# of uploads :
1
# of downloads :
554
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc783748934334 PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-07-30 02:55:25 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/40cb7577-90c8-451c-940f-b495bc7d85d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175169/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4060de43-9939-40ab-b517-79e912fd5135
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824227
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456639 Sample: doc783748934334 PDF.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 6 other signatures 2->42 10 doc783748934334 PDF.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\doc783748934334 PDF.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 doc783748934334 PDF.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 tianjinsf.com.lo1169.faipod.com 23.91.96.55, 49738, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK United States 17->30 32 www.ocfoundation.info 207.244.67.139, 49737, 80 LEASEWEB-USA-WDCUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 00:45:48 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nm7gwnrhemec5q7d23jessjvr6tt7hfam7zasfyxywgw5dtj46a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
37e98fef85aeb5097a5091d11fc844487642873e9e06a8d0734785dbe1ad1315
Formbook
38c8743572d600fee9623ff305b4e6a78c033576f4ca63e6e5f8ab1c9f6047ce
Formbook
432b598b280c8d89802ab7b26e239e9a779048e48704087f3a347962554ec144
Formbook
5372118bedc7e54daeed321ca6e2271d9a53dfe37ffab9b9f8ea91e8a3520ef5
Formbook
964879f3193645b71e10534ec04ea701bccf583f3f17c7d8ca3daeac0454d97e
Formbook
98b0ffba12ebffdb7f0ebeaa1a9c402098c1b3fc6d7b9a68ece1ec73855abbd6
Formbook
b93e489f88aa4b4e93dafa16bd6f86956568d7b96574aaf768fd755f9c839db3
Formbook
e197309f79a43cdeccdc0b69344a36abc6c23fb8eef66063e4eb5cc443ee9d4d
Formbook
f130539b2d2324246449abb99f5a0effb214feee629b092d48ac63aca14e2ba6
Formbook
+ 7'071 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210730-ssytb5xkxs/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
CustAttr .NET packer
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.bookkeeping32.com/p6ai/
Unpacked files
SH256 hash:
32be150a050a1b8598455b6db794c2f56bdfb998c759501df5ded3a67fe88d03
MD5 hash:
93978002bb2f119aef04178c435b0137
SHA1 hash:
e47da20db7083286e29c16d9e35dcb620e23b29b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/18235864-abc7-4fd7-9248-f08ff167a30a/
Parent samples :
b93e489f88aa4b4e93dafa16bd6f86956568d7b96574aaf768fd755f9c839db3
db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c
7149b1dc6fb8e0516e7f43b05cc0f452f078db558dd3be0ab066ab13f19c7e86
a3b2dbaf4684b38ff966a244069a73505cb8137efe19b95afd63f7a6029060cb
32be150a050a1b8598455b6db794c2f56bdfb998c759501df5ded3a67fe88d03
4cc65796b96504f7436452abb5337d83927568039b02e670b8997e92770d8c98
SH256 hash:
82c73d3cee153adfdf0f8b721f80037ac668239383936c86c6ad9daccb815c4d
MD5 hash:
04591c1e0d09b4407a153e866e6aad44
SHA1 hash:
e733b21318cdd64a6d335f4ed56637d5695de329
Link:
https://www.unpac.me/results/18235864-abc7-4fd7-9248-f08ff167a30a/
SH256 hash:
31677510d521b7993375f4e6e6cb09b0699bc08874fda731d48f6ca594e4ba8b
MD5 hash:
ea0f6e4885f8411bdb93a6ce2ff7dc4e
SHA1 hash:
922582eed5831f0d4d86f16386c4d29e0fe708e4
Link:
https://www.unpac.me/results/18235864-abc7-4fd7-9248-f08ff167a30a/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/18235864-abc7-4fd7-9248-f08ff167a30a/
SH256 hash:
db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c
MD5 hash:
788cc78af459f9335e00d9e364c68837
SHA1 hash:
ec9c01a19ca2e2e43e6904f9eb572454b9ab44a7
Link:
https://www.unpac.me/results/18235864-abc7-4fd7-9248-f08ff167a30a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe db59f359b1391841761f1eb6924a49ac7d39fce5033f9048b8be2c6b74734f3c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175169/

Comments