MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
SHA3-384 hash: 71ff318aab7af9af412d0ee4e675e13a2525bdecc2082308020e43b7ef5f5e4b6d07b5a51b12a9ecd892ff7bb2ecfe35
SHA1 hash: ceb0f5d3733b618019d7f0158b3ffc54014e4886
MD5 hash: a8398675f56d106c03387decadd26ce2
humanhash: quebec-hamper-vegan-lion
File name:f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
Download: download sample
Signature Formbook
Create hunting rule
File size:245'805 bytes
First seen:2021-06-15 10:24:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:Ds9X6hWrvefHmZpgAnyCatdmsdgUlSF7MU:yKhWb/jgAnPatzdgUl+wU
Threatray 5'788 similar samples on MalwareBazaar
TLSH 0E34122335CAD8F3D15746B106339BAAD7F9EB111620026B27B09F7F1A31263E5297C9
Reporter madjack_red
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
Verdict:
Suspicious activity
Analysis date:
2021-06-15 10:28:02 UTC
Tags:
installer
Link:
https://app.any.run/tasks/27fb205e-e4fb-446e-b755-146a2f826ad3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166453/
Detection(s):
SecuriteInfo.com..194.17770.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Casino-141
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f73cc3b-9d6b-462c-ad83-0c340744cd6c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802305
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 434701 Sample: KK71rkO0Tf Startdate: 15/06/2021 Architecture: WINDOWS Score: 100 27 www.mujahidservice.online 2->27 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 9 KK71rkO0Tf.exe 20 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 C:\Users\user\AppData\Local\...\System.dll, PE32 9->25 dropped 53 Detected unpacking (changes PE section rights) 9->53 55 Maps a DLL or memory area into another process 9->55 57 Tries to detect virtualization through RDTSC time measurements 9->57 16 KK71rkO0Tf.exe 9->16         started        29 lagrangewildliferemoval.com 107.180.41.236, 49756, 80 AS-26496-GO-DADDY-COM-LLCUS United States 13->29 31 www.umlausa.com 13->31 33 4 other IPs or domains 13->33 59 System process connects to network (likely due to code injection or exploit) 13->59 19 control.exe 13->19         started        file6 signatures7 process8 signatures9 35 Modifies the context of a thread in another process (thread injection) 16->35 37 Maps a DLL or memory area into another process 16->37 39 Sample uses process hollowing technique 16->39 41 Queues an APC in another process (thread injection) 16->41 43 Tries to detect virtualization through RDTSC time measurements 19->43 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e/
Threat name:
Win32.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 23:02:15 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7a5zdaok7h6ks2vhqbieu24k52zq5ppcjqzoffbznfmgu5oeu4ha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ed458c466676594e5feaee03cbd536339dc28c162a266daaccbeaaa7afdb887
Formbook
53e1c28059f751b2b8ba98d5c6adcf3e028f3d2953d5355d452dfd30f0830af0
Formbook
744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc
Formbook
78b11874a66b80ec78962b27c352a643d1a11c7f5cf9273f0db06df3f4f7e76c
Formbook
82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886
Formbook
85c528083c96b1f895ddd73681a8b78caf639b8dcf91eca47ae4e7e7cd3e3540
Formbook
931959c2c56185581ab2639948e3e207c5cb3c1e1c0225567c31f03a5b39e65d
Formbook
9c1d6191badf084113871feba0049fac8a2bb5761136877383579cdcf7cd781a
Formbook
ad2a5569cb14f86fe191f54f6fecb7bf1fe389418858f5fc72e6367c9780a9f0
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
+ 5'778 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210615-e59b7r17wj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.knighttechinca.com/dxe/
Unpacked files
SH256 hash:
82b76cb52e7135143e7e19e257d5eee8716e202521d37ec995ff5881d984bad3
MD5 hash:
83fe55a4dd78d4231a62124159d77652
SHA1 hash:
8f63071ec33d77fd671572fdd7f17a14b5fee00e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b351193a-c7ba-4be7-86a7-86c18048bf9e/
Parent samples :
f62f23f0f2a417ce32f3249502507a6036482bc41939eff23c92b1d5d44e480b
c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
eb3f64ec577c51957dfd0c55a431209e947c281c3a2a1f2d8514666530a0e608
f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
9624205b61e073bf50cf19e4c5412bf620218a2637315701c5fa78de627a5944
76f129a0fe66ce32231fd47a2e630b2a876e071c3851169f7e87babfa0b16360
25644ff35da89545c702b633182c4ff1f649dd64c9c8249be9afe7090359d87d
e780eec0d603f5a419530a5d2c6fd85c664ac0cac7f97ba1136263fe57ea5a64
900009eb072aa1eb5377fdd09e5a4d5dda9e2755a8934fc998cc1243ab7c8765
52f12a925f53adafd752c33413413ea3928a53f124e9530909107b57527d75fd
bfcda678eede144bcbb62d4c257ed2e05a26a5087893f3dfb62273bace6fe872
443b7c4a47da2fccb7764deccda2bb60d217f1c25eb016870c7ec0f11d1c2b80
b506bb786b2b45d252f9886ad94e63cb60b60544dade0680b096f80c84cada7a
257a36fdd79cbf165caeda4a1efe458034d670b71060693fdb0d2a1bf0489aa5
cf22ce4f2db96effa84c70504160296e478ab07442b2c1f9ebcff92783c681a8
SH256 hash:
2c9e76e77551e2595b8136ca089f3e937c613d72099b4fed72cca64f4caa0295
MD5 hash:
31194beb859ca5f7edfc42bf9dc96a5f
SHA1 hash:
9725a1714fa1975cf804cfbc808124da4bef0802
Detections:
win_buer_auto
Create hunting rule
Link:
https://www.unpac.me/results/b351193a-c7ba-4be7-86a7-86c18048bf9e/
SH256 hash:
f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e
MD5 hash:
a8398675f56d106c03387decadd26ce2
SHA1 hash:
ceb0f5d3733b618019d7f0158b3ffc54014e4886
Link:
https://www.unpac.me/results/b351193a-c7ba-4be7-86a7-86c18048bf9e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/f83b9181caf9fca96aa780504a6b8aeeb30ebde24c32e2943969586a75c4a70e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166453/

Comments