MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f
SHA3-384 hash: 36253a23597e96cee85d115d8c38cab2dd7b5be1ae4ca3780111fe765083fdadfddd60baea50aa5ae396e2594271cc30
SHA1 hash: d6bbfa8e7f765d807096aedab7ea28ecbd1e11ca
MD5 hash: 3adae286b1688adb95794b29d21f6ca0
humanhash: paris-diet-alanine-quebec
File name:bvsd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'086'976 bytes
First seen:2021-01-28 14:59:04 UTC
Last seen:2021-01-28 17:08:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:CfHaa/149JWBbMkwTFVk6ozZgfbouoFCHcpUOy:C/aa/G9JWBbMrnk6oz2TroFCHI
Threatray 3'660 similar samples on MalwareBazaar
TLSH A0359DADB240769EC417CE35C5251CE0EFB2EC36878FD207945F35AB7AEC946DA140A2
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bvsd.exe
Verdict:
Malicious activity
Analysis date:
2021-01-28 15:04:50 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7a315ab7-f977-41f7-bb39-55b48aa2fd72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114247/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.6214.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/592990
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 345538 Sample: bvsd.exe Startdate: 28/01/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 10 other signatures 2->52 10 bvsd.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\SsSLdB.exe, PE32 10->32 dropped 34 C:\Users\user\...\SsSLdB.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp1780.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\Local\...\bvsd.exe.log, ASCII 10->38 dropped 62 Detected unpacking (changes PE section rights) 10->62 64 Detected unpacking (overwrites its own PE header) 10->64 66 Tries to detect virtualization through RDTSC time measurements 10->66 68 Injects a PE file into a foreign processes 10->68 14 bvsd.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.wasalnygroup.com 185.176.40.135, 49767, 80 ZETTA-ASBG Bulgaria 19->40 42 www.tuhocnet.com 156.254.254.172, 49761, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->42 44 6 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 msdt.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-01-28 14:58:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25cd952df9c74033229ec91a5da330e392390ca6120db46d9ab21d3120c9011c
Formbook
410e324656b57d2eb5e1c0eabbdbda34d787f346ab817f1afbc388ea615c2585
Formbook
458bd08f0c32719adc9d2858721b609b136ff0e21c2f3ac3f4be4f97e4084b7a
Formbook
5adeb6184ee1dffad88ac180f1e7dcbd6f451fc8dcd5e868906fca11d98476ef
Formbook
62713d398ac2401fa51569449d65c583fb907a316c134897c21ebfa71ae36f2a
Formbook
7139fbd600738d2f456c7f11ae105e45ab0bb6e14a473ae0e68391b8125da393
Formbook
7a47a855968f4e82d6cc2d35186d2d56468701bc5587cc87f82a847bd2c45ae5
Formbook
9065643b6a648d1cb47f8364f79e2c159af0e152b0b61c5a4819cf50e9d35ca0
Formbook
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
Formbook
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
Formbook
+ 3'650 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210128-594lrwn7vn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.maalkhairaatwosu.com/zn7/
Unpacked files
SH256 hash:
d00c5e5ce8053c66c83643e8a85466920e4d8e24bf4602f08038ebbe736ad604
MD5 hash:
e63dd949b7d06a836c5007b2997fc731
SHA1 hash:
561aff3ca4f8c56cabd494155047953743ca0e24
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/41aa8f7f-a6fe-4b5c-9d54-b5e863b7b35c/
Parent samples :
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
9065643b6a648d1cb47f8364f79e2c159af0e152b0b61c5a4819cf50e9d35ca0
ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f
0b95efedfa44c08b29463a372e6717efc4874333af63da3cfd003bc86f4ce366
SH256 hash:
06ef6c055d088e55ce9939e1d6c6967fa14f9d4d93c70807479272ecc19adb88
MD5 hash:
6dba38784bd19babf221bab4a67a02d1
SHA1 hash:
e35da0dd00828e3fc30be285b010a3b74b93f70e
Link:
https://www.unpac.me/results/41aa8f7f-a6fe-4b5c-9d54-b5e863b7b35c/
SH256 hash:
b3d90ea4843b289bc7cc3beb78a41512a731ebcc63a44050935a0eedec3db6e2
MD5 hash:
d6e4a3305d550f6a62260f889aa49caa
SHA1 hash:
2c7b47ae553a225bf14bae48be819f24107bd72c
Link:
https://www.unpac.me/results/41aa8f7f-a6fe-4b5c-9d54-b5e863b7b35c/
SH256 hash:
ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f
MD5 hash:
3adae286b1688adb95794b29d21f6ca0
SHA1 hash:
d6bbfa8e7f765d807096aedab7ea28ecbd1e11ca
Link:
https://www.unpac.me/results/41aa8f7f-a6fe-4b5c-9d54-b5e863b7b35c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee2156519aef9988f7b0e5a2932bf378d3605f66128fcadf7023e6ba24b4557f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114247/

Comments