MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
SHA3-384 hash: bfbbf1742fcfc38de73c23dfe982ebc3c888684bc4ea4001fff6ecc6835490e0811c301526569e77903e518a10a92223
SHA1 hash: 6d2703c658931991266984732960dfccb8171af2
MD5 hash: 3741dbf3b24224ab2afa902d5aacac15
humanhash: cat-oregon-washington-carpet
File name:3741dbf3b24224ab2afa902d5aacac15.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:666'112 bytes
First seen:2022-01-04 16:17:11 UTC
Last seen:2022-01-04 17:58:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LwoIDqoZiFr5N3FR4sj1OZYt9uksDrH7yYg+W2tGG:Uved5N3z4TKuksDbefGGG
Threatray 12'599 similar samples on MalwareBazaar
TLSH T1EDE4CF262D5942C2D0392573D7F3A7D82BBC7449F192E38BA5B8226B41AD390384F75F
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3741dbf3b24224ab2afa902d5aacac15.exe
Verdict:
Suspicious activity
Analysis date:
2022-01-04 16:23:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ceeb37eb-bedf-4ad2-9935-b59304d82f5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217278/
Detection(s):
SecuriteInfo.com.Trojan.Generic.31369135.15217.11070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer formbook greyware obfuscated packed
Link:
https://www.filescan.io/uploads/61d4733ebfe53d318f260191/reports/a9b4343f-ee47-4dc1-bd96-b516be535d6e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/735b3de9-085e-45ce-923a-1256ffe2ea9b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915345
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Performs DNS queries with encoded ASCII data (may be used to data exfiltration)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547823 Sample: 1dm17YUaH1.exe Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 35 www.mucapo.xyz 2->35 37 fp-afd.azureedge.us 2->37 39 5 other IPs or domains 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 11 1dm17YUaH1.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\1dm17YUaH1.exe.log, ASCII 11->33 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 15 1dm17YUaH1.exe 11->15         started        18 1dm17YUaH1.exe 11->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 20 explorer.exe 15->20 injected process9 process10 22 cmmon32.exe 20->22         started        signatures11 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        27 explorer.exe 1 122 22->27         started        29 explorer.exe 102 22->29         started        process12 process13 31 conhost.exe 25->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-04 05:24:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14642e431716be5f43044de68f915037e0358a401f59e490f5370cc5563a1a23
Formbook
2152a980e864940db36cde90c649f66e7c2da15790e97703a28cb378fb7b5ca6
Formbook
24efd17a17d20c810212475d62f2ad609e192c135ae8606be53ab7606db458b7
Formbook
2b61cfb00cc8a45fdae91c176c8e68be4ac7cefbe0fab5781e5fa44d2ec4ca9f
Formbook
67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0
Formbook
76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655
Formbook
84c2b9e7449d2cf1ec1d43b13a9163e6fe355e3f8d301b34b7930d24f916725a
Formbook
a97ce8a55897b2f476c343a3cb5234e94848cdb3a7a815bb1c31c48dfaf794b7
Formbook
e22a659b73048b31aba79fce8de22ddd5a287494b763fec8d5779869dfebbf31
Formbook
ecc6439ff97e4b77f3af320e4c224f712478610fd28a1b6e6a03573c4b90f405
Formbook
+ 12'589 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mh43 rat spyware stealer trojan
Link:
https://tria.ge/reports/220104-tryhzshfak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
3c0bf113aab4e4239b45a472a486551f73b31e8197fac4b03ae2d76a7a822ad7
MD5 hash:
559118ac624bf1006fe97434b4d539d7
SHA1 hash:
f79324d331e05be0a9f27eaf009ef51734966278
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe9861b7-20cb-478e-a609-4c8be08c18d6/
Parent samples :
d211ed2bfcc045537d4c74ad6e630cbc455a9ff1d76c51470962883398f3e2bf
6be874893cea5091522ea17e86689fbc000b283779e768760b74f05176ba7346
0e05f364eea6b843357ec8a4991d1dd52fdf847d2386799d62275742f7787d08
76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655
a97ce8a55897b2f476c343a3cb5234e94848cdb3a7a815bb1c31c48dfaf794b7
f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
6c0a4d3b03b1331dc9c31134c621f45bcd9bf6bc6818d61b3d7f455bf65b0b66
7d846402dd33a4b037c9744a03cccbbb99f36f955b18a7cf0052243556e1faa2
SH256 hash:
25bfb0f5bb26a0f96129ffcc179621b1cfcb77dd10d9be8575853119cf554603
MD5 hash:
44d33b6ed45d45c336830acb9f4cd0a4
SHA1 hash:
d5b3a93e91dbc5dbd6d2e7a0d26569d75da19b9d
Link:
https://www.unpac.me/results/fe9861b7-20cb-478e-a609-4c8be08c18d6/
SH256 hash:
85cbe77249e3aa6bfba3e5de0c251ce1c0b1b72cd47b9f3b68266d2e445facfa
MD5 hash:
1a3ed2dc363209c6a5c2dc6604937d6c
SHA1 hash:
04270fee402ac05e105558ba657756ae41599c20
Link:
https://www.unpac.me/results/fe9861b7-20cb-478e-a609-4c8be08c18d6/
SH256 hash:
f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
MD5 hash:
3741dbf3b24224ab2afa902d5aacac15
SHA1 hash:
6d2703c658931991266984732960dfccb8171af2
Link:
https://www.unpac.me/results/fe9861b7-20cb-478e-a609-4c8be08c18d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1893559/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217278/

Comments