MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
SHA3-384 hash: 601ae4ebdbc7351d344cedffbb1185cb7dbec37447ad044dd7ab4210db962cb561158e268e839819e69666833d007f8d
SHA1 hash: 4cbc665703ef6c5eb46608aa5b8fef42c6afe6f5
MD5 hash: e434c99075bb1cc365706ac25bc1c53a
humanhash: hydrogen-edward-lion-football
File name:scanned20891.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'080'320 bytes
First seen:2022-10-18 06:17:52 UTC
Last seen:2022-10-18 07:08:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:bpxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8gPkS3k:23cj+/ZEFdj
TLSH T17C356AB626D41657E42972B58193E1F322FB6E516011E1CB58C31FAFBC802BBE52374B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321214/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.60767.19970.4347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634e451fc99b342ba010c485/reports/2d885b74-f19d-4aa1-9537-d707d3de7370/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cda3eaf4-02e4-4346-a271-9de47d48ce0f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092448
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725069 Sample: scanned20891.pdf.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 8 other signatures 2->58 8 scanned20891.pdf.exe 7 2->8         started        12 vwzBruALhhNkob.exe 5 2->12         started        process3 file4 40 C:\Users\user\AppData\...\vwzBruALhhNkob.exe, PE32 8->40 dropped 42 C:\...\vwzBruALhhNkob.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpDD54.tmp, XML 8->44 dropped 46 C:\Users\user\...\scanned20891.pdf.exe.log, ASCII 8->46 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 scanned20891.pdf.exe 8->14         started        17 powershell.exe 20 8->17         started        19 schtasks.exe 1 8->19         started        64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 21 vwzBruALhhNkob.exe 12->21         started        23 schtasks.exe 1 12->23         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 25 explorer.exe 14->25 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 23->31         started        process8 process9 33 cscript.exe 25->33         started        36 chkdsk.exe 25->36         started        38 conhost.exe 27->38         started        signatures10 48 Deletes itself after installation 33->48 50 Maps a DLL or memory area into another process 33->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 04:16:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6uh5irhgrfmtykzjwyuwdgdpgh7cwypsrbinenuavk3wogw5cnsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:5pdf rat spyware stealer trojan
Link:
https://tria.ge/reports/221018-g2l7gsega5/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ea23877-c579-4cb9-8417-e424b483ef79
Unpacked files
SH256 hash:
2723c44f6bae568744c0f6b56b846e70eeb3d5d03b7f436b8c1199b89c12d727
MD5 hash:
174743808ec50429b587bad2e053fb04
SHA1 hash:
ba5c22d5d5a38a16ae8045c0900dfa4f9531d069
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
Parent samples :
1a8711ee33a1417bb87d4129e2f857ef81f4b75c90891be23bc51f8b642d419c
f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
cf75beaa290407d939a1ad59649c6d268d1ea8119df27e0b4ea4e90faffb346b
SH256 hash:
0df1880919fffb48777619ab02f4451b3fe1e38239e3732f9fedabea891e72c0
MD5 hash:
620366d2032d5acefdee3d24e7ed8969
SHA1 hash:
7ae905d4f126c54e1c858a23632dd629d59bb525
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
SH256 hash:
76d48dab4a90a1c14354c0772ee8299fbdfb4ef69a810bb74b68a50960d086a5
MD5 hash:
7bb6f2f6616ea6ce54639f4f51d11f07
SHA1 hash:
88c69e9dc40323532a55f6e810461b6251f43606
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
SH256 hash:
5c5805f2efa3d1e84632e7f9691ad54d3ff4d9da5f172eb2d99452e18a64b6c8
MD5 hash:
830b2b75584d12969388174bc3e32bfa
SHA1 hash:
7a22180f9acdaeefbce3fc145545d2c240241f93
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
SH256 hash:
f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
MD5 hash:
e434c99075bb1cc365706ac25bc1c53a
SHA1 hash:
4cbc665703ef6c5eb46608aa5b8fef42c6afe6f5
Link:
https://www.unpac.me/results/ba71f507-6344-43e3-a9ce-ff967d6d1338/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f50fd444e689/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321214/

Comments