MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
SHA3-384 hash: dfe04f3855214599612aca8d54725e79d244ade88792b08d7ecf871dfd0880bf1973176271ea51f1a1a024537d644a9d
SHA1 hash: 21d703c97f16f46693ff9d5ea35f6f0a672436a7
MD5 hash: cd932bec1188b046a3312ab5ce3b4898
humanhash: rugby-michigan-floor-timing
File name:file
Download: download sample
Signature Formbook
Create hunting rule
File size:591'872 bytes
First seen:2022-11-28 13:51:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'459 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:6WO+MpbKbfjuyD9V/QuMwTRdA0uYWd0v:6WibKPvD9V4OXLXd
Threatray 18'908 similar samples on MalwareBazaar
TLSH T16AC41254336C19A3E6BA57F90D8390118BF2E22F74B0D2ED2E8512EE8AE9F01D711757
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4848d4d0d4d4d4c4 (4 x AgentTesla, 4 x Formbook, 2 x SnakeKeylogger)
Reporter jstrosch
Tags:.NET exe FormBook MSIL

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.xls
Verdict:
Malicious activity
Analysis date:
2022-11-28 07:33:23 UTC
Tags:
macros opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/1c514a47-c611-4671-99ba-35db3b4c5239

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339449/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.14374.29180.10877.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6384bd03559d07a06f47f7b2/reports/e7882fb9-040b-43df-a75e-4c476c9bc629/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e5110d02-996b-4e71-8f0a-35bbbec0ba44
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122570
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755299 Sample: file.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 10 file.exe 7 2->10         started        14 BenzuQiEPgaXnl.exe 5 2->14         started        process3 file4 44 C:\Users\user\AppData\...\BenzuQiEPgaXnl.exe, PE32 10->44 dropped 46 C:\...\BenzuQiEPgaXnl.exe:Zone.Identifier, ASCII 10->46 dropped 48 C:\Users\user\AppData\Local\...\tmp317E.tmp, XML 10->48 dropped 50 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 10->50 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 10->74 76 Adds a directory exclusion to Windows Defender 10->76 78 Tries to detect virtualization through RDTSC time measurements 10->78 16 file.exe 10->16         started        19 powershell.exe 21 10->19         started        21 schtasks.exe 1 10->21         started        80 Multi AV Scanner detection for dropped file 14->80 23 BenzuQiEPgaXnl.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures5 process6 signatures7 52 Modifies the context of a thread in another process (thread injection) 16->52 54 Maps a DLL or memory area into another process 16->54 56 Sample uses process hollowing technique 16->56 58 Queues an APC in another process (thread injection) 16->58 27 explorer.exe 16->27 injected 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 25->33         started        process8 process9 35 WWAHost.exe 27->35         started        38 cmd.exe 27->38         started        signatures10 68 Modifies the context of a thread in another process (thread injection) 35->68 70 Maps a DLL or memory area into another process 35->70 72 Tries to detect virtualization through RDTSC time measurements 35->72 40 cmd.exe 1 35->40         started        process11 process12 42 conhost.exe 40->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 07:55:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cvn6krptjo7vookqzwlwilc5d7vl5dzshrirfpdjsrfkvm7nana._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09037aa0be8db35b9e9fdebbcf4b513fc3837825d0114474ecbd396e698c5f8d
Formbook
3a22fb14f837309023971bf41b88cfc9b3ae7d9db44da63257d36d73dbd716ad
Formbook
4143f0d71056023faf4ba8117632af6086496686f1ef88da843c7252d7e1eb97
Formbook
4408ca4867bf10664da86178ed9d1730f0b405964f6bcd1c5ad87353ac1f5dca
Formbook
5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a
Formbook
5d781e4eb5ff900fa98654ed3c4de450539f80dda2f2e03a6303f781937ecbd4
Formbook
8cfdcbcbb0b67c66ebb1c3a4cfb995424a9dc791c13d8df53cea06bcd8c2afef
Formbook
bf7e149d1f9261676dcfd400ee235372b01f64302efc5be2eb053308e1203d73
Formbook
d6542847f6e753bcb676e6d891d85d88ff5a38fe7150975f53ac5863922a7667
Formbook
+ 18'898 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g2fg rat spyware stealer trojan
Link:
https://tria.ge/reports/221128-q6dwcagf94/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Formbook payload
Formbook
Unpacked files
SH256 hash:
f26fc4ea0c27824a013ffa528d0aee88dcaf5f4b5defd62b48ddf2facfaa5124
MD5 hash:
60d0fd39807c962e45c1ad7388fdee93
SHA1 hash:
98dbb9f3c0c9e6ac3c5bf0fd987509f6f586423d
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/a840860e-28e8-4d6e-86a0-00d6d09f8204/
Parent samples :
2a2ed868de7659c4ab333a44c6e55d69fa73edb4399997efeb48e39abfedc0a2
a02e269ca2267609aec76334e4fd13703c2071ec11a991c41c4fe785c168ef1d
3a6ba0e427cbc8428f15e8b347a9483fd11ad9aac6c65869c07665f76735f649
04d583f5e12a75d174cd94b6c4599a5db274b7056a580e7a7ab9ded10d92f845
c98eac88f8f4243d7303b806cb58e0a89e33270cb4b33457c91938a2b2746238
59564998eea247b74fae4eda4ec4d033c71dac44ee51d9317df8dd88d0fc4fd7
7e1902c99be3570624c34b1a087ca24ed8d47430374b6a2366d0432cb3e2a423
992ba1b139e91db060bd5d50e486447e5b1b85f4629fd7be5baf83b33478860c
f00c0f04ef631da780c92bd7249339579672e0898ed1ff05fa7617d2c182e682
b5334d7f1855536729093e624f9a5b548cdf0c74db12aba62280f7064090e4a0
497ca74514404b8699709d6fd3e3ab89cbd5eeb8fb1a5dea69561297f6a5e09a
f68fa6b1bbbc7654157a918b34bb633c008a0e8f9cf608e763ddade76c543791
fa20666ddef2dcc581feec3be79cd35b4d9f44e2dc713ee0eaeae73673b83b0c
10aa7088156f972d7f44c8183c9b26c4ca290e5e1b92b59585a91b9946fb73e2
73c029fbd27d0c281ac91d030160bd9ba859ab57db73b5fd7011f470ab90fc8e
a3c1b0817789d0b691bcbfa175958d2b24ad98020ba776c11aadde1d89a964ba
942196f0ca8e1253e7dd381b1855e4b56b8874a2d5def9d472507ddaf306ac86
1485956980a9f44192c5e1f6c8a4c9b6359de63b4a95e7c257f4ba6f9492a8dd
b63c82c7ada645bc96da74ebd031970c0ee2e7a568c2929181c146144682b2c3
731b5cd4aa18acb39bcfbb690aa93ef24f374c96b4d61845a58781241bc0bdee
1c3f48c41ff949d4c6b27d671146abb3f13be640843027a5ec33177bca81aef6
7a39f705b79a26591fa930c917ebf37ac8f0394017521970a45cb8c49c3bbb65
c4771044788147e2c9acb052dfbf6d291400add558b59ad0e6d0c5f42f3ec3e1
3bea5fb4e6d7f626a3448f9815c3ed932a8bf14fc7eab5739cc5dc69de03960c
e5938a9efbdbf0a81790e0287b086b4a322b756db37ec4006419a6ada47073be
c0f665918f4ea75327960ddf58cf37e415a6bf6569a4c22aa6291fbac9d171ce
5c4b6b6b72e020bea0a32b9ca0542bd404e91eff6344648aae077ad332593744
ffb2ebccfae79f8c1d5911d41e549a8f876a10708053a4f3a3dbc2ec0e04be48
b0719b23f521e380ea76a06aaee77d34b506ef96890542072101950ccffeac32
2ac7632aac460d738f260cbc0913805ca0b3421f7e241b9708688be292600e73
59a7fc4a8a50af26da5eb5cd0142fab8ef93140c2dbade41fd4ce316778ec82f
879ed7e70f3065461580484acb99e57762c9c86f1a92acae280fdfecf0f50cbb
5938c544d44a8b9714eb80c498d7cbb327b55d8176541118394d3357727f3d28
e009f07c6ca122574b584c8b883e3983349d8d4a372ff45aef77af52d5251b9c
7e98adbd789e5f62288e3784bb613e332642f2ac533ad873b5744c7a3d2afc16
4e7ff374bf5f0989e5d1e4ae395c9229a0d786ec1669dd0cf0fadf2a3f898554
82004564f9c882c4ae8edc74ef12e9ebde3e6018150864bfdaee8ac8f5048216
233a666fce4179d561dbcd31f35624fd3bc21068ae08995316eb9e5f7debf6f1
eeb925601fdf3c1d3155c01e836017ee29a9b1342b5c4d084839424aaee41a6a
28553a815377abf1848c9f84e528e6115969744b4d735e2e0cab9e4ed919a23d
be0eb1bf95016367e097709002bfb12c31419a9d9214f5a743d61fec0869e94b
a700153db70dd52ea66a74fc09145bbcf39a8019a7d31f733e8ef204494ca6ab
8b70ca4638fa94692c4c816a5e6d78dbf4b714d729cf76b6408080b4a33cb80e
11649edf97c44a364aa23ec2d01a39ed40efe81f025120a621b36c696620b441
e6507a30dc00cd8ec7b0b945c3549bcb313352e6443560394d136cb59486598e
bfbabc5cf18aa403997d34e8920f17303dc84322553b14ea8e535165da2f1766
5968a20b202c7e35ee2a6731bc76e5d91872820c2c500cdca13539c33c65dbd8
817bb218dc3c136428947e26d4e54bc1efa5047865c9061f032bd72c40cb133c
0d80a3569771d4ad7af902622df71a797cc61a80a958732c7c5f6191f4116e35
1406976ef0e50ea7ed59ff0a8175c3938694b2d2f8bf113e3208fdb48cb9c0a3
96ca0f177718a65118eeb4782cb0642e7529e670e7e7f2b692ee750c44734475
d1503f3fd8e620f55c8705f8bb1f7f233ba3fdd6eaaf2e44e310a6e77ba54fc6
4b077e18b18dad16af3d09e790347383572d0bdbc2f5cdd0eed96c61c960b211
7845453819c89f24416bfa15744e3625fafb7544d5beb180f6fe02a4d639b227
f1d6dee5489870d7cc620521cce6009b2fc0d4cada1ec66a979ef53faf6c1fd9
a06999e015bc924adb4a463c17853e238886b5a7c2c3de6f3614413e0794528e
cdda311b19b7310a22c171a9e83e6eb26f0319b9ea904cd6cbbed31b371e8fc7
1b4b34f61e8c7544cd51784d30da4e21134bda0b2e8c23ea740ca83cab04e58a
d936dbd1677939645b8945767ce9525ad92f068e0d81c9316e4c83fe916811cc
3a22fb14f837309023971bf41b88cfc9b3ae7d9db44da63257d36d73dbd716ad
0d70b935ad36ed959f487e0405eb6810bde06a538f862baf0eeb24d41b6188c3
5d781e4eb5ff900fa98654ed3c4de450539f80dda2f2e03a6303f781937ecbd4
4143f0d71056023faf4ba8117632af6086496686f1ef88da843c7252d7e1eb97
09037aa0be8db35b9e9fdebbcf4b513fc3837825d0114474ecbd396e698c5f8d
af950b5a12cb2f97b66be1ca4cd05b528919e25ef03c04a07d8b25af2acb501a
fd8ee1def801bc959d1fefac476f1adea2c6d66f21fe1c144e53e4b1fc92728c
212604b13ca215693db01f642c18e800aeb394f53d1f559b939b39fae9708d87
e4d9569944d2384d12aefa1b70f9c9799bc5f31e3031078b022bc144424dbe29
f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
71ea65acce74b5793f509989efe2b9dee25d7700f6d52aeb07e321ad2ebe0b59
556db57800de1a678ad62a5d6c85e2de783f3965429679a5c0f584ca3bc483ed
11b7ed15ae6b1bb53ad3eeff567acb939f794bfdf067b6c3c07c19a15a02fb8f
aa82cdf7520b7cc07288287395288f37a49a955dcd45b0bcc079364c43ceb298
fd57c25c7f4a591450adba8e8f2755e6a8ef62e9e28b745eae0a7369dc5ef4aa
67cc4306421a289d79bfd855c3da5e7ccbfe55e8eef44fc6c48aea748848ea5b
550d710de80bc48622dab82bf9f26b405866ff5d463bd06748c3419ad5ac7de6
62563b5858256c4048137b94b1f0f3a6abb1cef7e2f9afdf3e874d08ac3ab708
b3938532376b8d895ba266de98386155798e984764ea778c43a842a3124ccfde
40c9387d1982d53944fa9a527152ab7103457d7fb3b37865af98fe399641cf75
efd586fdc04eae13911a3f2638cb478edb6c952716e3279d854c4d855a9a70c1
fb1ccc21ef84112ec41d904546fa6e35c0ee0ff48626b68dd2d1839f77a4b508
6c16d294d574746cc94efbd7c946f73381bb1c857ba468ce37b8c672fa1faf57
0cf03f46e827627fc7cf3683f21e1da0f18d5a6e22e46f7aa4867aef4012b8e4
dbe3f374ece034f9fcfce5ea34796ca35fb13e1a6d929d708ea74a14357676df
ee62bac96fdf6c8fa0bf931f53a9858584cbe77e814f3e0a08a9a0fcb1fe55f3
5bdac8b30125850db84f9c3dceee1dfbbbc67e1ca5501cf678e14b835f38000c
c31db5aec9add40498b70fadc64eecb0b036cc0d894868ecd365213bd23dd064
ef5801704c64fb48c3bc3f96ba58f18ed4a320835d0f5d36732b3b5c2a2724ef
adb24e3f246fd2e4d38866e9273f7f511af700a1601399bc695b01c5ccdbd43c
d740e51f896255da1f4c88a7318bf912977675c5c571a73a5a925a0e120f3d1c
abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/a840860e-28e8-4d6e-86a0-00d6d09f8204/
SH256 hash:
fcad8fcbbe042a5db0ee19967bcd476a25cd70b786fada556b987edf8c496c43
MD5 hash:
9f66fd8368acad8666e89c0d193817c4
SHA1 hash:
5ff1fb5c5b0dfd638524b6180b2faa383ad4583a
Link:
https://www.unpac.me/results/a840860e-28e8-4d6e-86a0-00d6d09f8204/
SH256 hash:
e752dc8ee17c088b509d1a674fa317aedecf638ab2ddc6fca253ff3eae523dbe
MD5 hash:
b41f9e787805fafe2266feb72c8c7701
SHA1 hash:
590030319dc81b06c974c190e96bbe536c0f3807
Link:
https://www.unpac.me/results/a840860e-28e8-4d6e-86a0-00d6d09f8204/
SH256 hash:
cf6cd4dd62163afdbea6df9c64e73fa924f3aab1928e6c5b7c923d04418968de
MD5 hash:
801aa5c261e033a773eaf777c8c8731c
SHA1 hash:
4e02884cb70fd9b4679e1968fab0d048262cd11c
Link:
https://www.unpac.me/results/a840860e-28e8-4d6e-86a0-00d6d09f8204/
SH256 hash:
f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
MD5 hash:
cd932bec1188b046a3312ab5ce3b4898
SHA1 hash:
21d703c97f16f46693ff9d5ea35f6f0a672436a7
Link:
https://www.unpac.me/results/a840860e-28e8-4d6e-86a0-00d6d09f8204/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f0aadf2a2f9a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/339449/

Comments