MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5bd22b640c54cfd5212278977ebe0af67805288b5f2ac3da25f220cbbf59615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	f5bd22b640c54cfd5212278977ebe0af67805288b5f2ac3da25f220cbbf59615
SHA3-384 hash:	563a3f94b946ffec8a966d1bfbf6e7264c07351f977b1201a31d35c8c07667c1294eef0bb3f09f9193d30cd4a9f2186b
SHA1 hash:	5a2b42b6c21c4c335bb483f2cee86561554f61e3
MD5 hash:	602ed88af789ab9e916a3d61e33de5f0
humanhash:	uranus-eleven-venus-california
File name:	T1t1OEGt1htLruH.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	879'616 bytes
First seen:	2022-07-15 09:34:55 UTC
Last seen:	2024-07-24 23:05:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:1lhLuyyh9rWEuGdPi932HA+hAXmkMW659Y:9Luyy/rAGda0HAiAXQWGY
TLSH	T1FA1512337294466BC4BD4BF9E0328D922332AE8A62ABFF515DC531E711337449A0DB97
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	cocaman
Tags:	exe FormBook payment

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

T1t1OEGt1htLruH.exe

Verdict:

Malicious activity

Analysis date:

2022-07-15 09:44:10 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/cf9fa410-ab7e-4204-a57c-1feb5ca376fe

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/289459/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1449.4881.4346.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62d134cb01fde6ede68359df/reports/8cb7b67a-b92f-4663-b624-848fcd651e5e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/522f7f06-cf0d-4176-aee7-32b605e934c0

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1032385

Signature

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/f5bd22b640c54cfd5212278977ebe0af67805288b5f2ac3da25f220cbbf59615/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-15 07:50:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6w6sfnsayvgp2uqse6exp27av5tyauuiwxzkypncl4razo7vsykq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader loader persistence rat spyware stealer suricata

Link:

https://tria.ge/reports/220715-lkczpsfcej/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Xloader payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

5613d98eafaa6e20c577b05d7be0a8a00f25e5de5ad109f68f92e5495a616539

MD5 hash:

5b48a8456f796adf5bd23ad688bc041f

SHA1 hash:

2634ff0833dd50b544e7c8deeed2e42c6fe3b795

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/8cb97a8c-155a-4fff-a33a-22a0ac890bf4/

Parent samples :

27ef35c90367b8bd42a5d68e93cd132c1ce8a7b0ba6a73e0447b016da8c4ddd6
f5bd22b640c54cfd5212278977ebe0af67805288b5f2ac3da25f220cbbf59615
59133364318b3bf9bc773ecdcf457323b7c752364f974ef0e9b4a34da891f292
7b0c587adcf84f4edfbf4c48287e9d327fda44caa4ede0975d9d0e66d938bec0

SH256 hash:

c8b706626517939934bba0dfc6d6afdfd5befa6e082b1e48d5a4f4dfe11fe827

MD5 hash:

7a298e7fc0ac2ad68e7720528eb4ab10

SHA1 hash:

1d4fd8e4d8c9606d8d3879b3ececf42d5e26b329

Link:

https://www.unpac.me/results/8cb97a8c-155a-4fff-a33a-22a0ac890bf4/

SH256 hash:

883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15

MD5 hash:

ecb3f27eb8279c51608c8ea8f8050655

SHA1 hash:

82385d75444ab5fccacf37e2746c7dce73faa7f3

Link:

https://www.unpac.me/results/8cb97a8c-155a-4fff-a33a-22a0ac890bf4/

SH256 hash:

5f0b8caec0b85a0c703e72e766fe4f4a14122ccfb7cdf2c039bca112a4d4267e

MD5 hash:

a517ba7bb62658703df3eb5a594162c0

SHA1 hash:

4c5c4e369064321ae72c149cdabd5585b7b9b64c

Link:

https://www.unpac.me/results/8cb97a8c-155a-4fff-a33a-22a0ac890bf4/

SH256 hash:

07a669badf12ee362884eca88c04ff18b102b9cf7b59653807fc451ad4e7b8fe

MD5 hash:

f6df51f6176af38265fd8933b3f473a7

SHA1 hash:

2c7549beab772727065d025417e42ad6840294b9

Link:

https://www.unpac.me/results/8cb97a8c-155a-4fff-a33a-22a0ac890bf4/

SH256 hash:

f5bd22b640c54cfd5212278977ebe0af67805288b5f2ac3da25f220cbbf59615

MD5 hash:

602ed88af789ab9e916a3d61e33de5f0

SHA1 hash:

5a2b42b6c21c4c335bb483f2cee86561554f61e3

Link:

https://www.unpac.me/results/8cb97a8c-155a-4fff-a33a-22a0ac890bf4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/f5bd22b640c54cfd5212278977ebe0af67805288b5f2ac3da25f220cbbf59615

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.