MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1
SHA3-384 hash:	c06cddf6da0186d85d227af765837f28eabab686089eee40326526aa85df9d20294ca600ccd9befe0b823ff2d1cb9bcf
SHA1 hash:	366ac62da8aed0d425c1913277ae0d4d7a85a951
MD5 hash:	1286bb98d40fcfd0628de30f8f5b9499
humanhash:	florida-fifteen-autumn-iowa
File name:	产品咨询(RG25LGSJ).gz.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	739'840 bytes
First seen:	2021-10-12 05:52:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:S+MTA2AkKT1IyEfQjixc8RGfOcRetV0TG4+vK+V2:S+MTA2eCcDg/0
Threatray	10'923 similar samples on MalwareBazaar
TLSH	T182F4B559F342AC0ED457557354E458E3A1042CD7E8498339EBB3BAA358AE3814F4CBEE
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Malware_GZ_4df5e65bd070548174062805ec71cc0c4d737892f777ab35395043038e504fd5

Verdict:

Malicious activity

Analysis date:

2021-10-12 05:47:38 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/8db23872-7d52-42bf-961f-56e0d6a852a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/196763/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.20279.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

DNS request

Connection attempt

Sending an HTTP GET request

Connecting to a non-recommended domain

Reading critical registry keys

Possible injection to a system process

Unauthorized injection to a system process

Deleting of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/616522c2fd35fe780c39e678/reports/26ee6634-a036-44e2-a932-c1e15f7aa0ef/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/261ddca9-d409-496b-9a1e-ea6df00f28ec

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868297

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-12 05:53:11 UTC

AV detection:

21 of 44 (47.73%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6z2e3uhrfrcmyyvllqvvrygcq56tsnoy4eqf6on4kqhduwfirpaq._file

Verdict:

malicious

Label(s):

formbook

Formbook

5852e0b1479d914e16a2f1cf21d61ff4e1f3d35b6fa5dbcf0055cfc2c9a89936

Formbook

5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527

Formbook

75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6

Formbook

a325ff051ebc1d366533e22fba4a75a4c0b183a28457ed2fea0841f68da06334

Formbook

bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6

Formbook

e10fd0e47f713f77031028a2c5525477154ad2f7f6500b9679bb00e6897535d3

Formbook

e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25

Formbook

+ 10'913 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:gnui loader rat suricata

Link:

https://tria.ge/reports/211012-glathsbdfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Blocklisted process makes network request

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.hottorchlighter.com/gnui/

Unpacked files

SH256 hash:

43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345

MD5 hash:

f62ab5d3528d5a3b9e270ea1f9347868

SHA1 hash:

6a74e87711c615adbd9145f829a33f55b7e42dd6

Link:

https://www.unpac.me/results/431c027e-2748-449c-8f97-03416fcbd2be/

SH256 hash:

5c84b3e5c6cc11bcba630483078ceb86c00c2900b6f61cb642678036d48109e1

MD5 hash:

c6178e56c13d40e75887f44d65599e84

SHA1 hash:

b2cb883b2a9e77c75717e199f3b23eb381488c31

Link:

https://www.unpac.me/results/431c027e-2748-449c-8f97-03416fcbd2be/

SH256 hash:

0ccd51e17f14eb3f2701184b7e4f76154232e8e0d6c24fa72df238cfe83ca57f

MD5 hash:

b89d0c58121e6c27613082b97e102620

SHA1 hash:

88f20e8a8935e20d22d03ed837270a2be65eb185

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/431c027e-2748-449c-8f97-03416fcbd2be/

Parent samples :

5c6bb4be3e5abfc077f779645b07502ad3f9357fa3c486db79d0a2fb4f470527
bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1
77a0d2b3cf7736f6ba6798b004ce89ce2cbbd049a8eaef6bec53cc854b4e79c9
00022259e4007e25bd78d36d83e56d0989de57b16419f9663332570d3139266b
4766aecd97c34461dcda288195f7695895188f13b0a34b2dc1a73324bee46963
f64c0bb01252b219276c16f1b45ec37d3464ca976cf46a069ef487fdcdb707c8
7c0e90c15c64f5929f682a190f06d1e1882e06e6cbdceceb3193c0353bacc219
cc4478165b692f7109f252816f64a1fbb9cbf32c0ff623a255d2c9cd235a2da8

SH256 hash:

f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1

MD5 hash:

1286bb98d40fcfd0628de30f8f5b9499

SHA1 hash:

366ac62da8aed0d425c1913277ae0d4d7a85a951

Link:

https://www.unpac.me/results/431c027e-2748-449c-8f97-03416fcbd2be/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f6744dd0f12c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 4df5e65bd070548174062805ec71cc0c4d737892f777ab35395043038e504fd5

Formbook

exe f6744dd0f12c44cc62ab5c2b58e0c2877d3935d8e1205f39bc540e3a58a88bc1

(this sample)

Delivery method

Other

Dropped by

SHA256 4df5e65bd070548174062805ec71cc0c4d737892f777ab35395043038e504fd5

Cape

https://www.capesandbox.com/analysis/196763/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample