MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7699f895564624f542f4a0aee4357bedac9f6c6bb3fef74cf7cc8bfb72e4eba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	f7699f895564624f542f4a0aee4357bedac9f6c6bb3fef74cf7cc8bfb72e4eba
SHA3-384 hash:	29641dc1f5e2bfa597ba94da2d9854c7c084f0491385873cd338dfa107bf19c3da18690547d30c7fbb6a9b4be08ddf5c
SHA1 hash:	bf5d68ff3244cc4ee512a5df67da438f5ae05658
MD5 hash:	92c52c2062cefec3b3e5459d2f16e6bd
humanhash:	mountain-magazine-eighteen-oven
File name:	SecuriteInfo.com.W32.AIDetect.malware2.24921.17572
Download:	download sample
Signature	Formbook Create hunting rule
File size:	241'259 bytes
First seen:	2021-06-02 16:39:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	3072:8Lk395hYXJvMAnHTD8fwEb43r7uYydOrz3h2ypSLF43xEosQ7OgXhxtS3bYmH+nq:8Qq+AHTDcer8Y34ZmJ7iglSLV+ny+Qp
Threatray	5'565 similar samples on MalwareBazaar
TLSH	2834121764E0E433C29B1FB2C1737B68D7BED39D26612857B7284FBA2979503E84E181
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.W32.AIDetect.malware2.24921.17572

Verdict:

Malicious activity

Analysis date:

2021-06-02 16:40:24 UTC

Tags:

installer

Link:

https://app.any.run/tasks/9c2be2ae-4b90-41e7-abd2-078f6b35e2b0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/164099/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Sending a UDP request

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/796085

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/f7699f895564624f542f4a0aee4357bedac9f6c6bb3fef74cf7cc8bfb72e4eba/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=65uz7ckvmrre6vbpjifo4q2xx3nmt5wgxm7665gpptel7nzoj25a._file

Verdict:

malicious

Label(s):

formbook

Formbook

14bdf4f6b19a915c990311f85f8d82b9b4f3dd9d876ecc9b3ed69e65a4195cc2

Formbook

1877d5ba06d098d55f491aae3470afa36b839569dcf7b17226ae81c4f27895bd

Formbook

2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6

Formbook

35880c5210af5dca3edc22a693ab5f0cfcec0105cec988d930ab29fe09bd3461

Formbook

6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4

Formbook

9c1d6191badf084113871feba0049fac8a2bb5761136877383579cdcf7cd781a

Formbook

9de1892b227f07e8896b3dfa4d1f8b450bf2af962b1ec34f3075acc7a4187259

Formbook

cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c

Formbook

ee1e6c57be9de3dde5f374dd49232f23b3667b52fdf770649bbd27a1abceaa16

Formbook

+ 5'555 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210602-cdtb9md5we/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.111bjs.com/ccr/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f7699f895564624f542f4a0aee4357bedac9f6c6bb3fef74cf7cc8bfb72e4eba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164099/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample