MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7
SHA3-384 hash: 1a00d731aecbd838c772480a6d81fea81df22b14d465664f8f550206e611d21f8a86fc24054d920cae1039abf408bb70
SHA1 hash: b10fe2ecb4031b32266ea16a94a1ba222222930e
MD5 hash: 33d7ef98d681afdfb0cf7a6fb10bc414
humanhash: river-spaghetti-summer-sink
File name:33d7ef98d681afdfb0cf7a6fb10bc414
Download: download sample
Signature Formbook
Create hunting rule
File size:739'328 bytes
First seen:2022-11-07 19:47:03 UTC
Last seen:2022-11-07 23:19:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Ru5YDtn6Sou9k2x30mRe3Cqk6CHhZ8Wyes1Zo5D82FTtbyh:R4YDt6SP9pxdRe3QRhZ8ws7CvTtbyh
TLSH T106F4CFF4084032F4EBAEDF33D56D2F699A631E6153C3BA0F2090B5751A336E38665C5A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQ.doc
Verdict:
Malicious activity
Analysis date:
2022-11-07 16:58:09 UTC
Tags:
exploit cve-2017-11882 loader formbook trojan stealer
Link:
https://app.any.run/tasks/a262c599-b4ac-44ab-adc4-12a86cc1b678

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/330192/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3774.1184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636960f36e7eadfa70c4f0ad/reports/5f9d1e78-c2e6-413b-ab86-9c8f3ac6e5d7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ddf79be6-dcc9-46c9-83e8-8e62966bebda
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107631
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740294 Sample: tvAR9M7n8n.exe Startdate: 07/11/2022 Architecture: WINDOWS Score: 100 29 www.fuzzywumpus.net 2->29 31 td-ccm-168-233.wixdns.net 2->31 33 gcdn0.wixdns.net 2->33 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 7 other signatures 2->41 11 tvAR9M7n8n.exe 3 2->11         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\tvAR9M7n8n.exe.log, ASCII 11->27 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 tvAR9M7n8n.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 WWAHost.exe 18->20         started        signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 20:16:31 UTC
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ylgbyrj7b5wcvrhgxj5n5cdeyzjwxm6mwizrubn4wjeakmew7dq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ua69 rat spyware stealer trojan
Link:
https://tria.ge/reports/221107-yhkmzshbal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a0541066-5f4b-4a07-af7e-e88fde89aace
Unpacked files
SH256 hash:
7896b9ef17ddfdeab5e31831b99e568c03cbd31a05db8fe6dc59b9e9e6669d58
MD5 hash:
12a9d91ba40e97b6f09118f7095e297d
SHA1 hash:
2862fec520df1b047f47f7966fc5d08cac3cdff9
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/46002e36-3915-46b5-a3ba-38b6165d24a6/
Parent samples :
e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7
3c9009eeffcaac6b1e45e26ed3d7c399b42d9a9507cc56ddec477c399a3d9b2f
23c96a140db8d8bf5c14a2bf811ab8e22f93bf283179ebefeee31907b5067618
af2338dccdb59d40b3e6fbde008f3fad793ae9910fc3f2210bf6e9a311bd8044
903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64
SH256 hash:
1a5dea708076e7cd5198c47aca6cb5c5a0e4f4977bc7321c70966a98c3019122
MD5 hash:
3ea18f6fb383c58360729e0610d28fb9
SHA1 hash:
9841399404cea24eb376c6c3c5dc7886ce495149
Link:
https://www.unpac.me/results/46002e36-3915-46b5-a3ba-38b6165d24a6/
SH256 hash:
007b4688aaad855e0c0ce6e3dc7b9b7068b6cc18dc16931ee2e51f5d48edeb40
MD5 hash:
082af3ff1d3766ec4665ed7a44c55232
SHA1 hash:
5ba5c44dba269c8e91ea6d7874c0614cd900a7d5
Link:
https://www.unpac.me/results/46002e36-3915-46b5-a3ba-38b6165d24a6/
SH256 hash:
cfc16a2dbb933b1b85807d48966e9301b9fc34f4c44e7357713ca88b54bf4ab4
MD5 hash:
aabd0bdc81026ade6c57383f21d5c227
SHA1 hash:
4b26936bb8c03be6d7963184215a5ab594ecb765
Link:
https://www.unpac.me/results/46002e36-3915-46b5-a3ba-38b6165d24a6/
SH256 hash:
92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90
MD5 hash:
046e97119545e5abde2f40b5dc3a0344
SHA1 hash:
3e69b67ddff2554c8cd72e129d4da9c8acd9d331
Link:
https://www.unpac.me/results/46002e36-3915-46b5-a3ba-38b6165d24a6/
SH256 hash:
e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7
MD5 hash:
33d7ef98d681afdfb0cf7a6fb10bc414
SHA1 hash:
b10fe2ecb4031b32266ea16a94a1ba222222930e
Link:
https://www.unpac.me/results/46002e36-3915-46b5-a3ba-38b6165d24a6/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e61660e229f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe e61660e229f87b61562735d3d6f44326329b5d9e659198d02de592402984b7c7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2403539/
Cape
Cape
https://www.capesandbox.com/analysis/330192/

Comments


Avatar
zbet commented on 2022-11-07 19:47:06 UTC

url : hxxp://208.67.105.179/uzomazx.exe