MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254
SHA3-384 hash: 0a550e2d392bc27febf62dfc998cf1489b490a1d77a3347321928745774518b8ad475fbd5b16537bb8b5796231e42ed3
SHA1 hash: b27b46d71e83b442e1739698ba8ad64ffefbaaed
MD5 hash: b7c85103248a7ba2f5ff423186ed5402
humanhash: oklahoma-alanine-pip-pizza
File name:AWB DHL 7214306201 Shipment Notification.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:723'456 bytes
First seen:2022-06-07 06:34:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:BosgbmREf4TVh2R0tkW1Aer0R0+eoafC0tkkn0sM2xDdpbS:BojsEQT/cs1AzTbokk0cHb
Threatray 13'698 similar samples on MalwareBazaar
TLSH T13FF4E13037EA5254D97B1BB00D7591C513BA3A7BBF04CA5D2859164DAC73B038B22BBB
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 10c0e0bc90909000 (12 x AgentTesla, 12 x Formbook, 7 x SnakeKeylogger)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Artifacts-2022-06-06_11-55-52Z.zip
Verdict:
Malicious activity
Analysis date:
2022-06-06 11:56:12 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/776040f5-4729-42c5-85e5-9ed8b526c611

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/277228/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.36914.32143.17055.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/629ef1d58e867832d9e1c552/reports/9f0dd272-784a-41cc-b8f3-875ff7af9349/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95102b73-951c-4f24-a5f2-43f80f64ceb2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1007856
Signature
Adds a directory exclusion to Windows Defender
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 640354 Sample: AWB DHL 7214306201 Shipment... Startdate: 07/06/2022 Architecture: WINDOWS Score: 100 53 www.gitops.zone 2->53 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 8 other signatures 2->63 11 AWB DHL 7214306201 Shipment Notification.exe 7 2->11         started        signatures3 process4 file5 41 C:\Users\user\AppData\RoamingffgmbOS.exe, PE32 11->41 dropped 43 C:\Users\...ffgmbOS.exe:Zone.Identifier, ASCII 11->43 dropped 45 C:\Users\user\AppData\Local\...\tmp6198.tmp, XML 11->45 dropped 47 AWB DHL 7214306201...otification.exe.log, ASCII 11->47 dropped 65 Adds a directory exclusion to Windows Defender 11->65 67 Injects a PE file into a foreign processes 11->67 15 AWB DHL 7214306201 Shipment Notification.exe 11->15         started        18 powershell.exe 25 11->18         started        20 schtasks.exe 1 11->20         started        22 3 other processes 11->22 signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 24 explorer.exe 15->24 injected 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process9 process10 30 mstsc.exe 18 24->30         started        file11 49 C:\Users\user\AppData\...\71Alogrv.ini, data 30->49 dropped 51 C:\Users\user\AppData\...\71Alogri.ini, data 30->51 dropped 77 Detected FormBook malware 30->77 79 Tries to steal Mail credentials (via file / registry access) 30->79 81 Tries to harvest and steal browser information (history, passwords, etc) 30->81 83 3 other signatures 30->83 34 cmd.exe 2 30->34         started        37 explorer.exe 68 30->37         started        signatures12 process13 signatures14 55 Tries to harvest and steal browser information (history, passwords, etc) 34->55 39 conhost.exe 34->39         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-06 01:09:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wlq22rf3jxc7pckgmsgygfyf6yvjmkby7z3ioxkypi2gtxtajka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
154fb108d0bed6e3e736e5e00b6a52ac322216ae2053d71ead05f6f71d909f65
FormBook
284109ea975076b9b654c42fb3118beb045a44934d4bc62024c32c365e98892d
FormBook
2fd464c7538a3bbd4c5f2fa6996c38c60d1aad931a042cb23c8b9c11c79bb7e7
FormBook
4519a9d46f0391eae9853aa7bfba414b8b04a22f6dfbc6b506c9385329c187c8
FormBook
57f01cdded3c545f55b5dc74630fc7cb9679abe58949e706bef98014f6578ab4
FormBook
909976c8564e828c070757f35a497d1f259b3ff40149cebda95af134caa97130
FormBook
b844435235a5eb37ef8ddfbde5694104bb1d2faef4220739997f5bea28361c15
FormBook
cd39064e2db9b7568fff7a58cc14153d1f45fa6060f301cbcf56c13106922a69
FormBook
d080a745b7938d247a21fe80650dd1e392eb37326882536a111a16acb6b49082
FormBook
+ 13'688 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d0t7 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220607-hccr7afgfp/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
59a6329e302111f221c65e44fb705171acc0172fc4f32e2e148c58a2f24f7c7e
MD5 hash:
eca8a38ee5a10a5c3e199fcc34a15928
SHA1 hash:
41b32b49733b5ddb61d8c6f583cdac86051e91f4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4860a445-72c6-46f3-b1e5-616914839fb7/
Parent samples :
445a83fb1fc4c6d8c639d8bc6f2226bc997e8d2c2a1a098c12528c5f6e713f06
ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254
716709fc8d6f007e21e383ae915617220cc67820d36871a32dcf08dc6446ba7e
c40aa321d68974fa713dc4818c3fece5046dd2bffeddfe6227435a4e6eab954c
SH256 hash:
10cbdcf4d3894f106851c128a1ae62bd5e0f44b7c72fea0eef049dcc60e6dcbc
MD5 hash:
32b182379c50ed36bd824fb14c8db652
SHA1 hash:
d15f4b89b93a54ef956681f3495daa8db7e64e1e
Link:
https://www.unpac.me/results/4860a445-72c6-46f3-b1e5-616914839fb7/
SH256 hash:
c40a4ede4602aeb946fecf8c9d9a866d12093b8ea1454c743fe2f84ddd973bfd
MD5 hash:
7a4a3fe1cb5ff25c1f2c3aca2d7c3594
SHA1 hash:
72a89ba3298dd7557fcc7296fd145fa5da334343
Link:
https://www.unpac.me/results/4860a445-72c6-46f3-b1e5-616914839fb7/
SH256 hash:
8e88aaa9014d04b1ef25dbcda8ddd06017be33b89c185a0ef60e84ce07d4aa82
MD5 hash:
dbcd32a3fceab5491cf57ec1d665f4d2
SHA1 hash:
5805fb72ee86ee4420fd14790b29ee0651d35def
Link:
https://www.unpac.me/results/4860a445-72c6-46f3-b1e5-616914839fb7/
SH256 hash:
ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254
MD5 hash:
b7c85103248a7ba2f5ff423186ed5402
SHA1 hash:
b27b46d71e83b442e1739698ba8ad64ffefbaaed
Link:
https://www.unpac.me/results/4860a445-72c6-46f3-b1e5-616914839fb7/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed970d6a25da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe ed970d6a25da6e2fbc4a33246c18b82fb154b141c7f3b43aeac3d1a34ef30254

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/277228/

Comments