MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180
SHA3-384 hash: 84f35639504b2fefc5e1ad0cf3b24a71aa0414731e446d81e31609ddde19d3459e2c884d37ddcc9d109980db14b82f99
SHA1 hash: 3a7441cb83f5ca0732e8826f164c087b077a69a5
MD5 hash: 5ccd1492d563b11ffdfd66d51aa370b5
humanhash: pasta-leopard-two-river
File name:PO_A9164.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:438'272 bytes
First seen:2021-10-04 06:40:36 UTC
Last seen:2021-10-04 06:43:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:cbhdbMroO/lGquzY2ZmmjrmQGnHpnP6aupTzqfU0IgDKTTVz6TRvdqs0QC+VkTfW:IbMrQHzY2ZDgR6aKiIgDQVyYAkTfg
Threatray 9'850 similar samples on MalwareBazaar
TLSH T1239412AA73AF832DDCB987F5541029F2437A61452129D67C2E9D70EC3E233781AB0797
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_A9164.EXE
Verdict:
Malicious activity
Analysis date:
2021-10-04 06:41:36 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/3e2d2266-20ed-45ba-836d-1b22e291d699

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194441/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1068-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c2fc8e3d213d202b7744c/reports/d01c9062-015b-4c68-9b33-79a01da6b6a1/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7374466-3e5d-4f86-83fc-c0e02e791a8e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863675
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 496103 Sample: PO_A9164.EXE Startdate: 04/10/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 PO_A9164.EXE 3 2->10         started        process3 file4 30 C:\Users\user\AppData\...\PO_A9164.EXE.log, ASCII 10->30 dropped 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 PO_A9164.EXE 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 32 www.realbadnastystories.site 209.17.116.163, 49818, 80 DEFENSE-NETUS United States 17->32 34 www.sodangwang.com 106.13.164.102, 49790, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd China 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses ipconfig to lookup or modify the Windows network settings 17->46 21 ipconfig.exe 17->21         started        24 autochk.exe 17->24         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 08:31:16 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4535lchsjyq73tb23vw6loj5l62jrnmuuwpqhubllj4ibpc5kgaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b
Formbook
410659d6e76a955d58e88df12ffea3550a57758513630f051c6e66caa343fdad
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
5f3ccb49e66ef3bf10ec0a226360f55238063c739154cb131407ff02d0706e67
Formbook
67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0
Formbook
6fd5dbec01eb7f767fc3b4046d9aa50f80e50f5ab9439480efb87620faef473c
Formbook
727d99fbf5a7d58b50ea62f289cf59b251ffe3e6f5d9487f7716127654e6e32a
Formbook
7e2a14525c0058bca08d945d2358fc629e3080cc111d271253e061a4be0bde17
Formbook
972f5e016ffc306524d7083a5a5058ba8b5fc60f3db9f3c0915db59c0523a487
Formbook
f5400b800544782acf9e16a80368cef1b36eed0e63fd0200523f3d38c54162e9
Formbook
+ 9'840 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ergs rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211004-hfsyksgaeq/
Behaviour
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.iselotech.com/ergs/
Unpacked files
SH256 hash:
7498a2d98149c659c04fdb76daa20f50e27ce16a3c7c37c4257dc45bb8c7e093
MD5 hash:
dbf215deb6912bd9500cd835a2e753b0
SHA1 hash:
4aa8d931f88eaecf1737f33750d9a6ba4611d5c6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/512d3fcf-d76a-47f5-b4c2-8eba3a0c5f54/
Parent samples :
410659d6e76a955d58e88df12ffea3550a57758513630f051c6e66caa343fdad
6fd5dbec01eb7f767fc3b4046d9aa50f80e50f5ab9439480efb87620faef473c
7e2a14525c0058bca08d945d2358fc629e3080cc111d271253e061a4be0bde17
f5400b800544782acf9e16a80368cef1b36eed0e63fd0200523f3d38c54162e9
727d99fbf5a7d58b50ea62f289cf59b251ffe3e6f5d9487f7716127654e6e32a
e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180
009e6b48b7d9b2a802d6e831138b1e55c4390861c123287e134bbc21f8a6e225
SH256 hash:
7626706969e50e532ec6ef689ec5c63e64fbd7a49150902ad0545c2d64e90cdd
MD5 hash:
d0ceaa16b0e0688dc4f9bc77a271c5d0
SHA1 hash:
e55741457f77e7ecd2aca497c4df6aaaac300179
Link:
https://www.unpac.me/results/512d3fcf-d76a-47f5-b4c2-8eba3a0c5f54/
SH256 hash:
8284626bb324db0a4b2516f9b5dc1da92a26e6315f7a2fe771079a99021125fe
MD5 hash:
eaddb22aa4c81beb01cd9f45fb47809c
SHA1 hash:
dca3c2c7c76f332ad5cf31ab7be227de4e0aa6c8
Link:
https://www.unpac.me/results/512d3fcf-d76a-47f5-b4c2-8eba3a0c5f54/
SH256 hash:
4dc113d121008ca5ba6967ebdfb2ded5cc87d10af7457a3a4d5b7efd55e64b09
MD5 hash:
9d32e1b7b489eb9eb3df797954c81330
SHA1 hash:
bf2a2b7edf32547a3c0dd73c8a9d85786cd022c0
Link:
https://www.unpac.me/results/512d3fcf-d76a-47f5-b4c2-8eba3a0c5f54/
SH256 hash:
e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180
MD5 hash:
5ccd1492d563b11ffdfd66d51aa370b5
SHA1 hash:
3a7441cb83f5ca0732e8826f164c087b077a69a5
Link:
https://www.unpac.me/results/512d3fcf-d76a-47f5-b4c2-8eba3a0c5f54/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e777d588f24e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img b26d7f1c78311fe2e149042bbfeb9b14781de9e7dfd3bcb1e78ec540fe316ad6

Formbook

Executable exe e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b26d7f1c78311fe2e149042bbfeb9b14781de9e7dfd3bcb1e78ec540fe316ad6
Cape
Cape
https://www.capesandbox.com/analysis/194441/

Comments