MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
SHA3-384 hash: d7b9f888d8cfd24906bbc163214b784d89b307a8669585ec603b2bc15011d33346446ff12ea19b7cdc10e623ef49a563
SHA1 hash: d116908898e0ad0c92146c3de9b07d7b410bd9b0
MD5 hash: 9392649b625bdbad5c5285c11af9625f
humanhash: asparagus-floor-alaska-speaker
File name:Tracking No_SINI0068206497.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'070'080 bytes
First seen:2020-11-24 09:44:38 UTC
Last seen:2020-11-27 09:44:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:FXinB7LNs4dKE+81sQPvNtKXv1JeHjD8+NiyKBeXJL:Fo7+gsQHNtav1JSJiy3Z
Threatray 3'027 similar samples on MalwareBazaar
TLSH 5C35D069A698BF14E0BD473A88F0141197F6EC02A762C92E7EED749D0FB1BEC4521707
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
12
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545846
Signature
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 322017 Sample: Tracking No_SINI0068206497.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 7 other signatures 2->51 10 Tracking No_SINI0068206497.exe 3 2->10         started        process3 file4 37 C:\...\Tracking No_SINI0068206497.exe.log, ASCII 10->37 dropped 65 Injects a PE file into a foreign processes 10->65 14 Tracking No_SINI0068206497.exe 10->14         started        signatures5 process6 signatures7 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 Queues an APC in another process (thread injection) 14->73 17 explorer.exe 14->17 injected process8 dnsIp9 39 www.libertraxengineering.com 108.167.189.40, 49777, 49778, 49779 UNIFIEDLAYER-AS-1US United States 17->39 41 beastbodiwear.com 34.102.136.180, 49785, 49786, 49787 GOOGLEUS United States 17->41 43 3 other IPs or domains 17->43 53 System process connects to network (likely due to code injection or exploit) 17->53 21 cmd.exe 18 17->21         started        signatures10 process11 file12 31 C:\Users\user\AppData\...\-L-logrv.ini, data 21->31 dropped 33 C:\Users\user\AppData\...\-L-logri.ini, data 21->33 dropped 55 Detected FormBook malware 21->55 57 Tries to steal Mail credentials (via file access) 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 61 3 other signatures 21->61 25 cmd.exe 2 21->25         started        signatures13 process14 file15 35 C:\Users\user\AppData\Local\Temp\DB1, SQLite 25->35 dropped 63 Tries to harvest and steal browser information (history, passwords, etc) 25->63 29 conhost.exe 25->29         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 02:15:02 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56cldasfq72glm3lv7f7xzvbjfj6nxqksqqjartcxiqhtbdyfsaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
FormBook
201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
FormBook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
FormBook
45cf51569314dac91762e5c1f112c4a640595239d553729f10613f9f59403e84
FormBook
74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf
FormBook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
FormBook
911fec402f3bb42d731c4e177c322c0df8d79f680e5a18f538a3ff2e3086c2bf
FormBook
bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71
FormBook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
FormBook
ef0d4bf082291155c82f86ebda948f3fafed56b2d167463f6b59a1a964e7ccfb
FormBook
+ 3'017 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201124-fdtfrcedz2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.libertraxengineering.com/rte/
Unpacked files
SH256 hash:
a50cc46f77c6d537effe3448fef7b058efc99587813156bff9b1831c9c39a63f
MD5 hash:
877d4be1f1ed3ab8d745bcdad9569a32
SHA1 hash:
01f4e81eea4e7412631876a794e9fe1a606d7115
Link:
https://www.unpac.me/results/2e03506b-3e3f-4026-a73b-a50ac96ce785/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/2e03506b-3e3f-4026-a73b-a50ac96ce785/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/2e03506b-3e3f-4026-a73b-a50ac96ce785/
SH256 hash:
90e19bf935e7fe4b71a689c7d401af39be02c9bb4f4b48331fe2ea0192b471b4
MD5 hash:
094f6d98971ce2147c0442226b2995f5
SHA1 hash:
d5dfc037f2c09707e284b4de7a7c1b5600cf8b73
Link:
https://www.unpac.me/results/2e03506b-3e3f-4026-a73b-a50ac96ce785/
SH256 hash:
d9441785516cf74e6f3c86fa0cecf56b0b69cc361516da974be9cb01f1921df2
MD5 hash:
0345ee3daa51cfc4444366c0e1e1ace7
SHA1 hash:
71f1d93c996ba65f162e963ef7da68ea3221459a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e03506b-3e3f-4026-a73b-a50ac96ce785/
Parent samples :
ef0d4bf082291155c82f86ebda948f3fafed56b2d167463f6b59a1a964e7ccfb
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac
fd65de40662072e139fcfab07423a32a918e5cd51c42544681835e7fb5f835a6
ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
SH256 hash:
ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
MD5 hash:
9392649b625bdbad5c5285c11af9625f
SHA1 hash:
d116908898e0ad0c92146c3de9b07d7b410bd9b0
Link:
https://www.unpac.me/results/2e03506b-3e3f-4026-a73b-a50ac96ce785/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

817fe6e53cd85e63bd8ceb6218735ad5bf1f0dc38699f37d4fc4fb5725a67ece

FormBook

Executable exe ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80

(this sample)

  
Dropped by
MD5 1933aebf966b900aa3024102f7f3ec0c
  
Dropped by
SHA256 817fe6e53cd85e63bd8ceb6218735ad5bf1f0dc38699f37d4fc4fb5725a67ece
  
Dropped by
FormBook
  
Delivery method
Distributed via e-mail attachment

Comments