MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3
SHA3-384 hash: d79d43d3e64d2017e10ff737e2081cda1722d7dc42bd813f978b3b4b09957ed505d3447c0700f2961d28af84a7c99962
SHA1 hash: 3f526db4ba2b1509cffe3b3822fc00ea360e876a
MD5 hash: eb53cedc471f31af349da5ed50134b4e
humanhash: wyoming-oklahoma-seventeen-utah
File name:eb53cedc471f31af349da5ed50134b4e.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:497'664 bytes
First seen:2020-10-19 06:52:17 UTC
Last seen:2020-10-19 08:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jd9EJ9wt2L2C1Iz0i1h4L9mYgbPWb43Kp:R4YC1Iz0ikYDOmK
Threatray 2'775 similar samples on MalwareBazaar
TLSH F0B4BFB13C96596ECA6F077541A581C1FAB616C73FA08B0E729B430C0F15A2BF72725B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72759/
Detection(s):
SecuriteInfo.com.ArtemisEB53CEDC471F.8786.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/494941
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299935 Sample: mXlaC7cd1Z.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 96 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected FormBook 2->39 41 2 other signatures 2->41 7 mXlaC7cd1Z.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 27 C:\Users\user\hdhnij.exe, PE32 7->27 dropped 29 C:\Users\user\hdhnij.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\mXlaC7cd1Z.exe.log, ASCII 7->31 dropped 33 2 other files (none is malicious) 7->33 dropped 51 Drops PE files to the user root directory 7->51 53 Tries to detect virtualization through RDTSC time measurements 7->53 15 cmd.exe 1 7->15         started        17 hdhnij.exe 2 7->17         started        19 hdhnij.exe 3 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        43 Multi AV Scanner detection for dropped file 19->43 45 Machine Learning detection for dropped file 19->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 process8 signatures9 49 Creates an autostart registry key pointing to binary in C:\Windows 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 04:20:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mgv6jamqyaokmmdfzq7nk6532ltxjzewvpizc5ukwqvcyd3icrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d5af6ad459d48db0b27ab6ab4584191097bfc33c4f2475ce1b3a66e523e2bef
Formbook
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e
Formbook
9107a8988792e1ec695a1d662a6b0f7668a6fbfb6352897c1f5bfe85addf2994
Formbook
abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
Formbook
c6232f818d7c848dee9a6a653df75e0174e38362ff2e5f6040c5e7418af5f219
Formbook
d99b374a5972bbdeb57de9c8a41cc6b8c3f8928916151a40257967baa855917b
Formbook
e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
Formbook
+ 2'765 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201019-aryyr4w7fn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.remotelearningexamples.com/bpi/
Unpacked files
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
da313c9b0861a5ae18638e97f6a3ed94c5fce1788d774bf4775c20feb9508b0d
MD5 hash:
2160a9bd4ffedd2c9562c44b341c3c63
SHA1 hash:
09795ccaeb3219806f0edd765e8105cadcce11ed
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
SH256 hash:
0638303852bc306e557bf821d9d2fb181d9eda0a1b7152e1ff72e54fba9d4053
MD5 hash:
686c661f437d5521b3083fff2ca8ca39
SHA1 hash:
44633da142da035df4e792487b03042af38a5bf4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
Parent samples :
6a25765e7d969b6c324cc461b08d947d49204191d97f620b4a74ba0f6dc744ca
e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3
SH256 hash:
e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3
MD5 hash:
eb53cedc471f31af349da5ed50134b4e
SHA1 hash:
3f526db4ba2b1509cffe3b3822fc00ea360e876a
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
SH256 hash:
e2e14537c2e599fcb314910f2c4dbc85dfd8add2e5d77dc7367bbe2c907b8d9a
MD5 hash:
7c81096ab41ff26ef0bc5eac8bd2c154
SHA1 hash:
4d3a5f2b2b7538b2d9dd02cd2edc4c11140a6d95
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
SH256 hash:
a3d94b1900d2f3786ef0087c0c16238d31f01ce667eb8b4fa867d045857d9a41
MD5 hash:
5e2de20237f4bc69d586abd6b181ee8a
SHA1 hash:
579125fd6e18989462c5b0b6cc2ad1dd634e7540
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
SH256 hash:
4edb2fb0f5c1adbbc8e380f9e99eaefeeedabc52412724ef922d49dc53b8bb77
MD5 hash:
dc6bb576513449432e6e2cfc35c4dbb8
SHA1 hash:
de9cffd987ace4ea2af35a49713513f4d1241446
Link:
https://www.unpac.me/results/431b1dab-e066-49c7-b61b-45cb25b8db88/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/716130/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72759/

Comments