MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9
SHA3-384 hash: 8898c353db29834db09395863ceeb3533861deaefa1c4ee37492f7e7a2f78ee802b6703e5ff9c057d6f42489c66c690a
SHA1 hash: f98d60702774d661da2dad38072305e4045a687d
MD5 hash: f6bd4dad8709e9a43d2af50dd204e014
humanhash: pasta-friend-bluebird-sodium
File name:SecuriteInfo.com.Trojan.Packed2.42809.3317.13880
Download: download sample
Signature Formbook
Create hunting rule
File size:1'220'096 bytes
First seen:2021-01-26 11:05:59 UTC
Last seen:2021-01-27 15:25:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:556yszawWyjQG7jPBJxMZ4MjvFeuAyV3srW0i4SgGo3MaWQlxquLRoWqrgise75G:556CyjhJneDFay5iHeKqchZise7tL6
Threatray 3'640 similar samples on MalwareBazaar
TLSH 7C45A98C9CAEC0CB86750FA856CED8EA46DA5FF30F229879B5C58BCBC530346F506525
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Packed2.42809.3317.13880
Verdict:
Malicious activity
Analysis date:
2021-01-26 11:09:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ee8fe46-9c2e-453f-81f9-7e91a3640407

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113870/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42809.3317.13880.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/590500
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 19:59:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36c4a71bb849ba8e5fb938c8559b7ca17f8ebd1efe62d4bbd9af8739cbc4bcf6
Formbook
420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
Formbook
44d7d2e8192f940c7c739e654cfd560b294b20d97f983c250bc66b7bdbc4ac20
Formbook
4f4df174297e1651b1db26aa6a4191945ca4496f5f2a71ed88597c9a809a4794
Formbook
9065643b6a648d1cb47f8364f79e2c159af0e152b0b61c5a4819cf50e9d35ca0
Formbook
b391d1b72b14882c85b88f43578341edce500e922a621026784dcb86ac31d37e
Formbook
daf4aafa2ea525f3def6fea445fec6952400ef9d5d5f8b9375606c9bbbee3ad9
Formbook
e8a03ea82df941052dcc42c185962c51df032cff1f79d6058ecabad445eb6e82
Formbook
f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
Formbook
f6983ca5ba7ffca18db45a30cf8b2db968099067386658bf4131c16189f85f21
Formbook
+ 3'630 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210126-cx3q3wb69s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.whollysweets.com/nz8/
Unpacked files
SH256 hash:
8ea50b1bb455d3fb1f20d559cbf55053c54cad481fe79cdedae7ba553b8bdbcb
MD5 hash:
e413e2548bb5747b4b69801b1322dcaa
SHA1 hash:
106824eca13940f6c846421ff24d75b9f2fa68fc
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d0b72e54-5e20-47bf-9b1e-ded0f4831d07/
Parent samples :
f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9
e6a66bca480c62839856e6b9510a46cc2b859c3b6a8191bf9af68290a2ef8134
SH256 hash:
651f3401477630cc4db0d10a504553fec76e3a4ddc3e76f03e32f3186f93d0e4
MD5 hash:
22b6397d7bc7766852709cde8920cac3
SHA1 hash:
3bb2ef8bc2622dd1c08c29e9d93370d40860b6ab
Link:
https://www.unpac.me/results/d0b72e54-5e20-47bf-9b1e-ded0f4831d07/
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/d0b72e54-5e20-47bf-9b1e-ded0f4831d07/
SH256 hash:
f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9
MD5 hash:
f6bd4dad8709e9a43d2af50dd204e014
SHA1 hash:
f98d60702774d661da2dad38072305e4045a687d
Link:
https://www.unpac.me/results/d0b72e54-5e20-47bf-9b1e-ded0f4831d07/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f29c2aa40b282947808213d07099641c64b26f1a28e72154adbdb61dca3c49c9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978578/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113870/

Comments