MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35
SHA3-384 hash: a436d3ad631d413f04077a44488ad20d727ab4b2c59f4ddadd207d0ab1f44ac884a74494e8a6a645070bbf6e89422e7a
SHA1 hash: 82400dcfb54324f009a76d0b1721bf2fd78fab37
MD5 hash: 0dd656d1fe41f8ef237c981c2d6af56d
humanhash: river-football-burger-oregon
File name:0dd656d1fe41f8ef237c981c2d6af56d.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:842'752 bytes
First seen:2022-02-17 18:07:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:HXCaEK9bik7AQFbizQHLY3ESW5vJ7KY4XjGG:lV9bimPFIALYUSWFJMGG
Threatray 13'408 similar samples on MalwareBazaar
TLSH T179050245BB63B582C57A0FBAA8E1D1738AB5AABC7727EB375CD1238C14563E80570730
File icon (PE):PE icon
dhash icon b3b3333969693b3b (69 x Formbook, 63 x AgentTesla, 26 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242338/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/620e8f44ac8ad0468b4cd08c/reports/d0813959-b382-4afe-8dc5-c1ca4a880b79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f58695ec-04b9-4af7-95a5-8ef177bf2b02
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/941842
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 574322 Sample: E3MndejJin.exe Startdate: 17/02/2022 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 8 other signatures 2->36 10 E3MndejJin.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...3MndejJin.exe.log, ASCII 10->28 dropped 46 Tries to detect virtualization through RDTSC time measurements 10->46 48 Injects a PE file into a foreign processes 10->48 14 E3MndejJin.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 cmmon32.exe 17->19         started        signatures10 38 Self deletion via cmd delete 19->38 40 Modifies the context of a thread in another process (thread injection) 19->40 42 Maps a DLL or memory area into another process 19->42 44 Tries to detect virtualization through RDTSC time measurements 19->44 22 cmd.exe 1 19->22         started        24 explorer.exe 1 152 19->24         started        process11 process12 26 conhost.exe 22->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 21:32:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7f5szvtk3qghwa2o6cfl6clluedjizl7ov4evu5qzbfldxkdr42q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6f2d71733b4bcab1a04a40168f2900963a9f65c0081a6f1d1832d18b6bae16bb
Formbook
76fb4deca980cbc985a590ac1f8481bc1b08cd9ab19fd24c902cc58347e792f6
Formbook
78925291f09bb03febfff27735cd630b96b9ea2a21aee0a8b58e156ed20b256a
Formbook
8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0
Formbook
bb7206c1e7aa981a59c0adfea068fc8819665495c4023ce9cb06f86456b37eec
Formbook
d472be00c8fd766636fb12d2acb553ab17876fcf722587c87a8fca98a7d20aee
Formbook
db4fa159359fbe0ba9857ae0e971dd206f23a7522b14073151b27bb030db8f5f
Formbook
dee29915a45463d25c7f4de2abac14269137c359f848baf8ad4205fb07e2fa0b
Formbook
f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
Formbook
+ 13'398 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:d7ln rat spyware stealer trojan
Link:
https://tria.ge/reports/220217-wqxleadhgn/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
155adc0ae387a3b8447736f02b849544d9f567b52bf7f1d50dadcd6582933e69
MD5 hash:
568a3dca08851a0cfed77a899df585d3
SHA1 hash:
a482573ec492fea99895d1a0515d72e4c8f2ec85
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7db7d70e-2b37-4f13-a1f3-dd11b9b5c061/
Parent samples :
cce2edbec8676315b05ba2e2dda2feb9190edb5f217b9824ae58b40a770924fe
a9ee744d7181c80db0ffbabf36933b815cf8b731ad6fb920393fb325cdfce9cc
9e6f627734e059c3e53c3c1f0211248969f412c652ea1819d83977dac47c7fa6
76fb4deca980cbc985a590ac1f8481bc1b08cd9ab19fd24c902cc58347e792f6
f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35
SH256 hash:
63b6403c6ea1378c0ff49f069597b45496dba6c0161d240e64885ab6f0806d04
MD5 hash:
72b143fd989c37772556bf302ac33be1
SHA1 hash:
ee377db4778e70261d34f8210208069df41a12ef
Link:
https://www.unpac.me/results/7db7d70e-2b37-4f13-a1f3-dd11b9b5c061/
SH256 hash:
827e3ee3a2877e2c6bf5157cdffc502e392190fc0b30550488ffad5320fbf189
MD5 hash:
638a20b8f833ba9d2d5fcf3e0290db11
SHA1 hash:
8fdfe978cbc20b69f313b91b7a75025cdb8eff91
Link:
https://www.unpac.me/results/7db7d70e-2b37-4f13-a1f3-dd11b9b5c061/
SH256 hash:
0fd8e32192182652c98259af8d1e30b7ea185521a49dd5d0ce87f69e8b267039
MD5 hash:
2f571d7a0450856d5323fd083e79f580
SHA1 hash:
720bd7cb259bf47bf5ff8b6ca01a3b25b6bb470b
Link:
https://www.unpac.me/results/7db7d70e-2b37-4f13-a1f3-dd11b9b5c061/
SH256 hash:
f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35
MD5 hash:
0dd656d1fe41f8ef237c981c2d6af56d
SHA1 hash:
82400dcfb54324f009a76d0b1721bf2fd78fab37
Link:
https://www.unpac.me/results/7db7d70e-2b37-4f13-a1f3-dd11b9b5c061/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f97b2cd66adc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f97b2cd66adc0c7b034ef08abf096ba10694657f75784ad3b0c84ab1dd438f35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2023853/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/242338/

Comments