MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb1b3d85ecb0afaebc878f4cd09ffc66004dc0dae189e8d1952ab584bf8a01d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb1b3d85ecb0afaebc878f4cd09ffc66004dc0dae189e8d1952ab584bf8a01d8
SHA3-384 hash: 16999142c28fd109dad63d3587379648544b0347b0b4900641e43ab4caae53faf8894f9b5caa643757ad5952e4b9e4e0
SHA1 hash: 879fe8804ddf0013f4fc07b9be49d2ca743e596b
MD5 hash: 9016909878ac1ad68e35ec83aa6988d7
humanhash: angel-crazy-apart-illinois
File name:9016909878ac1ad68e35ec83aa6988d7.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:49'664 bytes
First seen:2021-04-26 06:36:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:rtctYZjGKQzlrZiua0F3r8j0M+hsZVHh:LZjGKQzlrZiuNhr8j0LY/
Threatray 4'765 similar samples on MalwareBazaar
TLSH 632371153500B115C3AE763686A7D92423F0C3F35B71920EFA9D736ECE932A66C896CD
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_0592107.doc
Verdict:
Malicious activity
Analysis date:
2021-04-26 05:17:13 UTC
Tags:
exploit CVE-2017-11882 trojan dtloader loader formbook stealer
Link:
https://app.any.run/tasks/f1fc1a14-11dc-4e33-81b1-21c117602280

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144227/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.12734.15564.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cae352a-5f6f-47f9-ad40-d354feab1026
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697406
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397624 Sample: NQ1vVJKBcH.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 10 NQ1vVJKBcH.exe 15 4 2->10         started        process3 dnsIp4 48 xwjhdjylqeypyltby.ml 104.21.88.107, 49703, 80 CLOUDFLARENETUS United States 10->48 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Hides threads from debuggers 10->62 64 Injects a PE file into a foreign processes 10->64 14 NQ1vVJKBcH.exe 10->14         started        17 cmd.exe 1 10->17         started        19 WerFault.exe 23 9 10->19         started        signatures5 process6 dnsIp7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 23 explorer.exe 14->23 injected 74 Tries to detect virtualization through RDTSC time measurements 17->74 27 conhost.exe 17->27         started        29 timeout.exe 1 17->29         started        40 192.168.2.1 unknown unknown 19->40 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->38 dropped file8 signatures9 process10 dnsIp11 42 www.slfengyang.com 156.253.78.210, 49726, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 23->42 44 www.salaandco.info 217.160.0.251, 49728, 80 ONEANDONE-ASBrauerstrasse48DE Germany 23->44 46 www.yashaxi.com 64.190.62.111, 49725, 80 NBS11696US United States 23->46 58 System process connects to network (likely due to code injection or exploit) 23->58 31 cmd.exe 23->31         started        signatures12 process13 signatures14 76 Modifies the context of a thread in another process (thread injection) 31->76 78 Maps a DLL or memory area into another process 31->78 34 cmd.exe 1 31->34         started        process15 process16 36 conhost.exe 34->36         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fb1b3d85ecb0afaebc878f4cd09ffc66004dc0dae189e8d1952ab584bf8a01d8/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 06:37:08 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mnt3bpmwcx25pehr5gnbh74myae3qg24ge6rumvfk2yjp4kahma._file
Verdict:
malicious
Similar samples:
07f112fbe5d3677503d19457331c28fdbf1a82e2268a80b6753e483ccce3722d
Formbook
545d2a220b69923954de8e8040be2c9b5e75ba757545182a077388981d0a6950
Formbook
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Formbook
7f6694752a3e50d4f811fb5c807f305ba5c4b422c3fa10468132575c6c2505b6
Formbook
957c5b5a6f0af47354f9ed2d09522fc671b8c0af06e3f3a5b6354e111b2c8129
Formbook
9dac57302e2261a1a3c6a665d3960525b27fb70a1fd6b1e135a3e72f11c6f3e6
Formbook
a46f0189a9016e0af96bebed0e62fad7bbd7e6223ea036c0e6d2da4f9a04a6cc
Formbook
c1bcc9edb69c75aa2e1052ef728392ca9a922a23888a4be835e0bc4dbd150752
Formbook
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
Formbook
f4738e611922161d38399f61ebe6c8332bbf3e54f1d23475c0bf0b476d05a1df
Formbook
+ 4'755 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210426-n67flwpfrj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sevenwhale.com/sdh/
Unpacked files
SH256 hash:
fb1b3d85ecb0afaebc878f4cd09ffc66004dc0dae189e8d1952ab584bf8a01d8
MD5 hash:
9016909878ac1ad68e35ec83aa6988d7
SHA1 hash:
879fe8804ddf0013f4fc07b9be49d2ca743e596b
Link:
https://www.unpac.me/results/3a4dc049-7dc1-4fd0-b4e8-2075c4b60c8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb1b3d85ecb0afaebc878f4cd09ffc66004dc0dae189e8d1952ab584bf8a01d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fb1b3d85ecb0afaebc878f4cd09ffc66004dc0dae189e8d1952ab584bf8a01d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1169750/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144227/

Comments