MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
SHA3-384 hash: 5bbb107f9401545265a79a3675776153a3abdc556f39b577ddd4f24651111b536b187ea648ab4ed14aa5a72cb4a69914
SHA1 hash: e62f150cdd4cab28d7509181021ad6a0a286f935
MD5 hash: 3784b10d0565c915a99e5877beff9ef3
humanhash: yellow-tango-california-cup
File name:3784b10d0565c915a99e5877beff9ef3
Download: download sample
Signature Formbook
Create hunting rule
File size:550'912 bytes
First seen:2022-05-17 08:12:31 UTC
Last seen:2022-05-17 08:53:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:wCQI/q+UonQiF0kBcEVF2Guwc5AaBlaFENg1mLChGHOzRF8toLobahb81f8SrnwH:wmjykBNiJeanAE6vhGRtYoba8drnwpC
Threatray 15'714 similar samples on MalwareBazaar
TLSH T125C423E6BBA44326D73A1BFD42684AA057353E527251E78F1CC718D903B37818FE4A63
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Drawing for specification.xlsx
Verdict:
Malicious activity
Analysis date:
2022-05-17 13:04:23 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/2b83f7a5-75b9-431e-a1ee-4a6a4b7940c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271388/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6283591ad06ea2f4a07224e9/reports/2f88ee3c-334c-4796-918f-19cc29b39ba3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be073818-0056-4649-986a-58e74767730e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995593
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 628090 Sample: zRQuHKbY4V Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 37 www.huntinton.info 2->37 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 11 zRQuHKbY4V.exe 3 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\zRQuHKbY4V.exe.log, ASCII 11->35 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 zRQuHKbY4V.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 39 www.tradeust.com 185.53.179.172, 49754, 49755, 49756 TEAMINTERNET-ASDE Germany 18->39 41 www.aspin.club 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 help.exe 18 18->22         started        signatures11 process12 file13 31 C:\Users\user\AppData\...\O00logrv.ini, data 22->31 dropped 33 C:\Users\user\AppData\...\O00logri.ini, data 22->33 dropped 53 Detected FormBook malware 22->53 55 Tries to steal Mail credentials (via file / registry access) 22->55 57 Tries to harvest and steal browser information (history, passwords, etc) 22->57 59 3 other signatures 22->59 26 cmd.exe 2 22->26         started        signatures14 process15 signatures16 61 Tries to harvest and steal browser information (history, passwords, etc) 26->61 29 conhost.exe 26->29         started        process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 04:48:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
045b2713fa49b215c38ab96d39f3f46b056c46391cec1c4772e3e15b6dd2005a
Formbook
045c15ef3a76b61d487b30e3e554c77afbc4f3fc17078d3818b5392de608a92e
Formbook
3ff28d4f5a5b236c660c2714bf1b5a515cf72cd738afea35b916938024644538
Formbook
7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae
Formbook
7e9714cbd04e089e9a55baccf2e3168d876772c72d59d83df1471a533c043fd0
Formbook
b807f3822e747f7135cfbe8941d7fb58924745c27880c4041a2554fab96533dc
Formbook
c8f9dc774ab6e27b3116b72c28e68a88e087bc1648c1a96509c26e33575ba9cc
Formbook
da7d5d4f66ec3b6d1bdb4301b01d1b9849c6c06c3345d72400a5652f7ac8a52d
Formbook
ec575e5cdf3da323c27e65f3042586173ca50ba0682b733a61f0b47f80c3004e
Formbook
+ 15'704 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s5hr rat spyware stealer trojan
Link:
https://tria.ge/reports/220517-j4dz1abham/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
75b081bd58a8981d26b7fbd1a806bd91f5487c0a88da1c93005cde4a2671f835
MD5 hash:
2e61bac8096739834335a7cdfb44b858
SHA1 hash:
2e2038180c3244ad36424751bbb3ae36aa297e65
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e3cc00e7-6270-4f5b-8d97-182aa5d4d389/
Parent samples :
da7d5d4f66ec3b6d1bdb4301b01d1b9849c6c06c3345d72400a5652f7ac8a52d
f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
SH256 hash:
709fdbef8932044e42231f14888aa12b12ddc571e6daba8af86d624a39fa63bf
MD5 hash:
a7a6647650fe0204d1ab042824d638be
SHA1 hash:
a1194aba19ab6190a412073fe1918cd1b559aacf
Link:
https://www.unpac.me/results/e3cc00e7-6270-4f5b-8d97-182aa5d4d389/
SH256 hash:
0e426a7c0aae660fffa165b69cb1a1f67acbce2c77592c5ce52c37e3e098ab8c
MD5 hash:
9a1304459f03a6611e590dd7f912e04d
SHA1 hash:
57fac49e858b8c872f1d4fac9aef7c7f09951be7
Link:
https://www.unpac.me/results/e3cc00e7-6270-4f5b-8d97-182aa5d4d389/
SH256 hash:
cae88ad1d4a72965e04d8145a2ad3f8590a462625abbc4c6851f28d41e272b26
MD5 hash:
3212e8f56dd45571a57bc7e004b730ed
SHA1 hash:
5754fdce380349ddb06552761cae84b549073d2d
Link:
https://www.unpac.me/results/e3cc00e7-6270-4f5b-8d97-182aa5d4d389/
SH256 hash:
f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364
MD5 hash:
3784b10d0565c915a99e5877beff9ef3
SHA1 hash:
e62f150cdd4cab28d7509181021ad6a0a286f935
Link:
https://www.unpac.me/results/e3cc00e7-6270-4f5b-8d97-182aa5d4d389/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f40a38225821/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f40a38225821147424c40ad23f18de1859e7c2ca11ae544387aed8ae2583b364

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2198963/
Cape
Cape
https://www.capesandbox.com/analysis/271388/

Comments


Avatar
zbet commented on 2022-05-17 08:12:35 UTC

url : hxxp://198.12.89.141/gfm.exe