MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebf3a8928d8bbaabfec8b7e93eb0f48469a665bc0b15d9261218012378ffb9c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebf3a8928d8bbaabfec8b7e93eb0f48469a665bc0b15d9261218012378ffb9c1
SHA3-384 hash: 5efebb10499b1c9fe4e46cad9414fd748674adbbc00f6c4280487338561b2fd7d8091bbfb669d39cfd9fc2eeebc618a0
SHA1 hash: ce3cd04e1aa9a1e3fbb60abd04fd553f64774c20
MD5 hash: dc597d3f1ab180f714f69b1bef877d61
humanhash: double-music-winter-sweet
File name:09288376455462_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:935'424 bytes
First seen:2021-06-23 13:03:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:HRUuKgHxolKOhpmlN/9EXR+rsfBJWqOKlLplK/72t:CXgHx+KOMFEXOgWA/t
Threatray 5'943 similar samples on MalwareBazaar
TLSH EF158D3126A83F1EF57BE734A9A921D5D7F9F913E302E85D7DE202C90462E44CB60927
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09288376455462_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 13:08:28 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/590c358a-0ea9-4c22-a465-311c37b7eb54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader39.59262.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0667255a-4c93-4f95-8d74-42e11fabbd59
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806583
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438994 Sample: 09288376455462_pdf.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 9 other signatures 2->48 8 09288376455462_pdf.exe 7 2->8         started        12 explorer.exe 2->12         started        process3 dnsIp4 28 C:\Users\user\AppData\Roaming\QVtlqQcC.exe, PE32 8->28 dropped 30 C:\Users\...\QVtlqQcC.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\AppData\Local\...\tmp3DDE.tmp, XML 8->32 dropped 34 C:\Users\user\...\09288376455462_pdf.exe.log, ASCII 8->34 dropped 50 Uses schtasks.exe or at.exe to add and modify task schedules 8->50 52 Tries to detect virtualization through RDTSC time measurements 8->52 54 Injects a PE file into a foreign processes 8->54 15 09288376455462_pdf.exe 8->15         started        18 schtasks.exe 1 8->18         started        36 www.the-aerial.com 199.34.228.177, 49731, 80 WEEBLYUS United States 12->36 38 www.pittsburghshometowncasino.com 64.190.62.111, 49729, 80 NBS11696US United States 12->38 40 2 other IPs or domains 12->40 56 System process connects to network (likely due to code injection or exploit) 12->56 20 msdt.exe 12->20         started        file5 signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 15->58 60 Maps a DLL or memory area into another process 15->60 62 Sample uses process hollowing technique 15->62 64 Queues an APC in another process (thread injection) 15->64 22 conhost.exe 18->22         started        66 Tries to detect virtualization through RDTSC time measurements 20->66 24 cmd.exe 1 20->24         started        process9 process10 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ebf3a8928d8bbaabfec8b7e93eb0f48469a665bc0b15d9261218012378ffb9c1/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 22:49:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pz2reunro5kx7wiw7ut5mhuqru2mzn4bmk5sjqsdaasg6h7xhaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
38c8743572d600fee9623ff305b4e6a78c033576f4ca63e6e5f8ab1c9f6047ce
Formbook
3a35df53c702f348d3693309c29fe3044d50ecf4be8648b787e74f79f5d2ceea
Formbook
7c6393b4e86ea5cec49c0f814b17e4bb85aa447c19896037252a94ff6416ce1b
Formbook
966de298a417004b81550a9b3ac5cebe87baa97fcb91c985f005258025fc1497
Formbook
b9b6a49f239e763796dbd664bf343284d5edd47c581c31e0240cf046dea0b585
Formbook
bdc84c917558fe1a4055309a8d6ad6d89d2cdf5a6741c218ace44f70489f9260
Formbook
c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
Formbook
e6e7575f09a3e973c9b315f3206448f9ddd04b3b8ca39d126e02bad763a17948
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
f8ca257b6bbb8a0b617611a8ddb0068f056f3dc38eb525495978632b03964380
Formbook
+ 5'933 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210623-mxy2lnsqke/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.pushorder.com/nmda/
Unpacked files
SH256 hash:
0af47cf8a8041e5a50adf2fbbc4403d02d90d5ce7ce728fa81f3df441c03d793
MD5 hash:
cfb00f8b42ef3c1271a361aca79173e3
SHA1 hash:
8816ef183da13c62121c257f1f24ea4e3aa405e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/36c21d82-1104-4217-91f8-337a7388dabb/
Parent samples :
e6e7575f09a3e973c9b315f3206448f9ddd04b3b8ca39d126e02bad763a17948
360aa7350fa68fbe5ee11dea4c0291a23fa65fce3fb8ce37a0649e5e86d26cb4
3a35df53c702f348d3693309c29fe3044d50ecf4be8648b787e74f79f5d2ceea
38c8743572d600fee9623ff305b4e6a78c033576f4ca63e6e5f8ab1c9f6047ce
966de298a417004b81550a9b3ac5cebe87baa97fcb91c985f005258025fc1497
ebf3a8928d8bbaabfec8b7e93eb0f48469a665bc0b15d9261218012378ffb9c1
38539e1921abdc55da699d06a32fb043610cfe8c13eb1004dc8aa508427c6809
f6bb8018c90c49a3b09ad5b94cbfe5009b59abdee04d05be8f4ae8825f71cf19
SH256 hash:
f0b27f8e28b6e9b481407021f82cb2c319e8450cbaa395ef4538a1963d704885
MD5 hash:
a32f3a4fa9854620629d1aed4d638d57
SHA1 hash:
cd48c0de2ef4d1e8b02e4780b5293d2c1fd53136
Link:
https://www.unpac.me/results/36c21d82-1104-4217-91f8-337a7388dabb/
SH256 hash:
06306e33b7e10429759ab8c42e31e9eb8edbd76c4f1a792a5c231a57876ea338
MD5 hash:
5bdd03077864d32db51b085294859f68
SHA1 hash:
70392a93a4c8be2377915fd6e6d3e7a3a9600adf
Link:
https://www.unpac.me/results/36c21d82-1104-4217-91f8-337a7388dabb/
SH256 hash:
ebf3a8928d8bbaabfec8b7e93eb0f48469a665bc0b15d9261218012378ffb9c1
MD5 hash:
dc597d3f1ab180f714f69b1bef877d61
SHA1 hash:
ce3cd04e1aa9a1e3fbb60abd04fd553f64774c20
Link:
https://www.unpac.me/results/36c21d82-1104-4217-91f8-337a7388dabb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebf3a8928d8bbaabfec8b7e93eb0f48469a665bc0b15d9261218012378ffb9c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments