MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e
SHA3-384 hash: 4d9e5a6deced2d7fe324dfac6a8bc33a2b4da9b63807836725a66dc0224a7b31c2573b2b79b143443857be93b02b75fa
SHA1 hash: e5d67a362ae9c51449000987f42882fba4d402df
MD5 hash: 0377728dc176c34ec287a4ee6e1b6800
humanhash: sad-steak-robert-six
File name:15012021567.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:801'280 bytes
First seen:2021-01-15 07:15:25 UTC
Last seen:2021-01-15 09:12:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:lF8jbr1Ka44cRD5W/NlCrijdOuKUrg2WuXW4jlc2aBu/eJa:lOr1K5BMlljdUIg2NX/m2axJ
Threatray 3'440 similar samples on MalwareBazaar
TLSH 59056A10ABD19700E7FC67BD282010611BF5EB6AF7F9E35CDD4060795EA2A1844FE7A2
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail-smail-vm51.hanmail.net
Sending IP: 203.133.180.239
From: 빈둥지 <byoungsmin1369@hanmail.net>
Subject: 견적 요청 /RFQ-15012021543 Order
Attachment: 15012021567.cab (contains "15012021567.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15012021567.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:26:56 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/739e35f5-fa9f-4688-8bc1-20762d3e8314

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112184/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.504.20983.15551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/582239
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340155 Sample: 15012021567.exe Startdate: 15/01/2021 Architecture: WINDOWS Score: 84 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM_3 2->23 25 4 other signatures 2->25 6 15012021567.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\15012021567.exe.log, ASCII 6->17 dropped 9 15012021567.exe 6->9         started        11 15012021567.exe 6->11         started        13 15012021567.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 04:24:03 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mnvhasrw7e2aemap7xbthyui23iyqhjzlwqocjyt2wjdyyrx4pa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
Formbook
38dac51ef91ec8f45bdb2749e2eec758b07e7b9855f2b9b25d2e59783ba9ff41
Formbook
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
Formbook
5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
Formbook
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
Formbook
82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2
Formbook
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Formbook
bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449
Formbook
c3d490568e73f61c86d2d4c01e170bdcf3c0d3eb5e309ff3d3fb808a4a867a54
Formbook
cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167
Formbook
+ 3'430 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210115-eavz3fhq7j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.southsideflooringcreations.com/dkk/
Unpacked files
SH256 hash:
ef897a9a9f0daf87183137cf36cfd3bcb36bbda74165d320668b17732e0ac61e
MD5 hash:
15554a5ed05f7ff8dfaad521ccfae743
SHA1 hash:
7d45f2d91d4eecd6a4a4afb0d0f2c2e270c6ea60
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6fc48e39-a5d4-4ce5-8f22-21588ab63fab/
Parent samples :
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e
SH256 hash:
60437268311fdd67dac526cbf2c5aefb5cf40284d58c5a3cc1a2c1ed60d89b51
MD5 hash:
e81c45db8c1cdcce5c56976e0df3ea6c
SHA1 hash:
2d83ce8bb19dc69d08588c1a5001f881d1e65f17
Link:
https://www.unpac.me/results/6fc48e39-a5d4-4ce5-8f22-21588ab63fab/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/6fc48e39-a5d4-4ce5-8f22-21588ab63fab/
SH256 hash:
fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e
MD5 hash:
0377728dc176c34ec287a4ee6e1b6800
SHA1 hash:
e5d67a362ae9c51449000987f42882fba4d402df
Link:
https://www.unpac.me/results/6fc48e39-a5d4-4ce5-8f22-21588ab63fab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab ae378431fd06aa5828fa44b2ad0c771e4974c42692a150411aa199f01ea2366b

Formbook

Executable exe fb1b538251b7c9a011807fee199f1446b68c40e9caed0709389eac91e311bf1e

(this sample)

  
Dropped by
MD5 89080e7c49a05dd6dfe3e62d76f5ee2b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112184/
  
Dropped by
SHA256 ae378431fd06aa5828fa44b2ad0c771e4974c42692a150411aa199f01ea2366b

Comments