MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4674817122efc3526346a4de3f374c778b48d19f0d84bb13dd4199b0868357c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4674817122efc3526346a4de3f374c778b48d19f0d84bb13dd4199b0868357c
SHA3-384 hash: e890fec5d05da45c53d1f8f0c0724e72a932502e2eb4bff6b762c636e4c8d802080422b0481b3cf346420162d85fa0d2
SHA1 hash: 1b70abea24b9a93ecff4d6959b3ee5e6ea55f700
MD5 hash: 7604145281358e95356ff075dd54c0fe
humanhash: echo-music-mike-fanta
File name:Details bookings.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'189'376 bytes
First seen:2020-12-24 06:31:26 UTC
Last seen:2020-12-24 08:27:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:M1ONVFmk5zzS5H2GTqETxFo6JG6XsHuj7odJGFDKiwU:wg5zu5WHEldsHujcMFDKXU
Threatray 3'248 similar samples on MalwareBazaar
TLSH 48454C14A2E40A5FF07E2F758A6C052F93B639756A63E3AF6CE031575EB2B014B13316
Reporter JAMESWT_WT
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Details bookings.exe
Verdict:
Malicious activity
Analysis date:
2020-12-24 06:33:22 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/3df6307b-1666-4ea8-8252-938c6d309ff0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109291/
Detection(s):
SecuriteInfo.com.Artemis760414528135.290.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569588
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 333854 Sample: Details bookings.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 35 www.bribiebootcamp.com 2->35 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM_3 2->47 49 6 other signatures 2->49 11 Details bookings.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\user\...\Details bookings.exe.log, ASCII 11->33 dropped 59 Injects a PE file into a foreign processes 11->59 15 Details bookings.exe 11->15         started        18 Details bookings.exe 11->18         started        20 Details bookings.exe 11->20         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Queues an APC in another process (thread injection) 15->65 22 explorer.exe 15->22 injected process9 dnsIp10 37 www.686761.com 67.198.128.186, 49760, 80 VPLSNETUS United States 22->37 39 www.parrotpink.com 154.93.165.239, 49754, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 22->39 41 6 other IPs or domains 22->41 51 System process connects to network (likely due to code injection or exploit) 22->51 26 colorcpl.exe 22->26         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 26->53 55 Maps a DLL or memory area into another process 26->55 57 Tries to detect virtualization through RDTSC time measurements 26->57 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4674817122efc3526346a4de3f374c778b48d19f0d84bb13dd4199b0868357c/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 01:07:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rtuqfysf36dkjrunjg6h43uy54ljdiz6dmexmj52qmzwcdigv6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
Formbook
34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
6841a00603c067163259e142990659c0217ded69e2895d187fa65f9439034c7f
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
Formbook
8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382
Formbook
b1b8f6dcd1c8d12e5a79a8d16dd62d0900d552ba435178b691f4497d338cc704
Formbook
d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
Formbook
e367a50fe019accad32ff683df2a06a9178ab2f9b7e2265b80089976c7f5d5dc
Formbook
+ 3'238 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201224-l1l2cyw58a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.deuxus.com/t052/
Unpacked files
SH256 hash:
4ece24cc7ba0fe68bb95951a8a23bfab696b8752850fba65687504f24aa6bac1
MD5 hash:
0d2cc36ed2c3a7e03324833354cfaee5
SHA1 hash:
5d72bafc7862ee57244596d8d2e6faf311f1dc16
Link:
https://www.unpac.me/results/25fa1827-6ee5-46d8-83b7-d7db36cc572a/
SH256 hash:
63147f42601c1e62156c010e2c7f1cb46612c1884233fc44e80ba0b4baa9437f
MD5 hash:
68918639a3ad8687c6e7097e06dac832
SHA1 hash:
b70b1292bc69ffae16b89cd773ebf019bd2f3db8
Link:
https://www.unpac.me/results/25fa1827-6ee5-46d8-83b7-d7db36cc572a/
SH256 hash:
63c43914cbeefe0348a391b57c1c4b0bbc557f239bc75793bcb471ffb7b067c9
MD5 hash:
d61d6fb81eb44a5c7d295ada9840b81f
SHA1 hash:
da9880cbd7a4ca8c128d1fc098bb1c4c30ab09db
Link:
https://www.unpac.me/results/25fa1827-6ee5-46d8-83b7-d7db36cc572a/
SH256 hash:
9231183674f234096d474027446c1803138f7b55d2e5fd616bd0f1cb12fecd37
MD5 hash:
1e95cc35de4a82e464f91fa77495d826
SHA1 hash:
9d48a0c66137f0e0575b80cff77a21d813acdb35
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/25fa1827-6ee5-46d8-83b7-d7db36cc572a/
Parent samples :
f4674817122efc3526346a4de3f374c778b48d19f0d84bb13dd4199b0868357c
24a234c5f80a54172dd68022bc17dfaadb008e6c90dbac03991064860f20ea82
616c28fcce50820b53f2e7489697ceec0526c0e6005c25c4a2f312b2cc8822a3
a2d9b5d16fcae146b34d3ed40bb6444d4b4bb497ed63e8f4d720af4d24cb5450
e04abb62c7cb7d06e79c802d579572230a52e029b205115c87c31fdb8073930a
9711d6e85cd32b79392aa64305e32e400365cf1bd359649e499fe92896baf732
85b414718d97bd7f716c6eaabe004cbf4ab89e16688490100901bcaef1eedc58
9fdd7c91700e8ae665b85b921c9008a728d8a022c669f348c32865b674341333
39872cee88d7cf4d0f0cc42d09348b6fea960a62861fab210bf257c4e6bc3a36
62e4e1e22348e0eb9b33c350ee4489a3d9292dd81bf289282ebb148507180609
SH256 hash:
f4674817122efc3526346a4de3f374c778b48d19f0d84bb13dd4199b0868357c
MD5 hash:
7604145281358e95356ff075dd54c0fe
SHA1 hash:
1b70abea24b9a93ecff4d6959b3ee5e6ea55f700
Link:
https://www.unpac.me/results/25fa1827-6ee5-46d8-83b7-d7db36cc572a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/f4674817122efc3526346a4de3f374c778b48d19f0d84bb13dd4199b0868357c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109291/

Comments