MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58
SHA3-384 hash: 6d04da20b29f274089396b2205976944e6fc52596c1befaa702129d6b266015236178308b8fe1312067fd00f2e4d431b
SHA1 hash: 4537ce54c89000cf74e7d52aaed185d063781779
MD5 hash: b814f8c032adf1fa13acd72cb2364ebf
humanhash: network-texas-fillet-leopard
File name:PO-4093021.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:603'136 bytes
First seen:2022-05-25 07:22:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:jwEuSe80GZFFamsdszFYLLG1if0qYzN05/h42zU8PX:jwEuTmsd+k0pNIb
Threatray 16'184 similar samples on MalwareBazaar
TLSH T1C5D42309132CA30BDA399FF52A71887003F1E96B9D52F78E8E8774C14DF7B108596A67
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO-4093021.exe
Verdict:
Malicious activity
Analysis date:
2022-05-25 07:26:43 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/eb0f0f4b-f3b6-4dca-b00b-e548f2eba646

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274375/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/628dd993945ebb7eb17a1bcf/reports/b087159f-fd16-48a3-be51-51a8bb293ee8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f3696a5-affb-48d6-a5cc-be0f1c1f9e08
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1001332
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 633828 Sample: PO-4093021.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 31 www.visionuptechnology.com 2->31 33 visionuptechnology.com 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 7 other signatures 2->41 11 PO-4093021.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\PO-4093021.exe.log, ASCII 11->29 dropped 51 Tries to detect virtualization through RDTSC time measurements 11->51 53 Injects a PE file into a foreign processes 11->53 15 PO-4093021.exe 11->15         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 Queues an APC in another process (thread injection) 15->61 18 explorer.exe 15->18 injected process9 process10 20 cmmon32.exe 18->20         started        signatures11 43 Self deletion via cmd delete 20->43 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        25 explorer.exe 1 153 20->25         started        process12 process13 27 conhost.exe 23->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-25 03:50:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 41 (43.90%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pg7cuzkeckzequd5hla6aj5cbydntplzytxfp5pig2ctey735ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19a9ec9da618f09710fd8e6e1daec72377e05e78bd7469f33e203a9529d712fd
Formbook
38dcb9b9943a8e9c79592af3c754aae2feb84c832e7111828224f2bd663f3d82
Formbook
5938c544d44a8b9714eb80c498d7cbb327b55d8176541118394d3357727f3d28
Formbook
9997ae9723bd215339367807584c52f6e7c99910d5d155f10294b7a8ac55ba1a
Formbook
c7fbbdd84572a117d47a54168e71b8bd86f0c70198468486f6c3a040e9ecc310
Formbook
dc0ed0d428679dd6269a17ca9c6fd5d0af9ac0cf62fd66c3abf30736a0df9ad2
Formbook
ddefebb59f9e4b8fc00e13686024f829fbc7d82a2b0d07fd29748071708a5850
Formbook
edc8375d2a96c96eb0d3b8c7acfba4a9ba7f602deb4a2738d4ff07f0ee129e98
Formbook
+ 16'174 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:amdf rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220525-h7sf5acffn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
f44e4c73d593278c11ac37c4166f7a85493ed0b8b41ad06d0c696839b659bca6
MD5 hash:
592614a0b186e4050c6630875c9f318a
SHA1 hash:
b562e180e2d3cdc6c7baaff7a818aee0fe6e1a6d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ff03e0bd-4825-41c8-a81f-63eed2c3fc33/
Parent samples :
ff4e7b32b4c4ac0f5fbdd12b9c2ffd894fe647d1d22fe009035cc307a540322d
edc8375d2a96c96eb0d3b8c7acfba4a9ba7f602deb4a2738d4ff07f0ee129e98
f083cca9a8f0665f33ea6d3a133e5e8fcfc8fc2e4828ddcbd8c035344e7c5667
fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58
fa318879db358e490dc763417711d144a17bd5ad8061821a1e820521ebefac16
b1b671842ea0b17a67e78741ceb401ccee0907e55c7a365aa78bf17aebe8e356
363c3288efc15bdba3db28988766e6554fca04e6bcb49e094f7a521388016fe8
SH256 hash:
c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2
MD5 hash:
86f922d84e1b89f646bc23cb3d878a9c
SHA1 hash:
b61f4401c1a144d704988cf4e55dd9a71f8d8263
Link:
https://www.unpac.me/results/ff03e0bd-4825-41c8-a81f-63eed2c3fc33/
SH256 hash:
a10d4fcf9b9e395cd5da7735de002bfbea9bcc5bfb705a87082f4f651eefdd8e
MD5 hash:
3ad23a0eea5427204bb7616d70d26989
SHA1 hash:
b2407a0de0683803aa38cf05504fe843f0e2ee2f
Link:
https://www.unpac.me/results/ff03e0bd-4825-41c8-a81f-63eed2c3fc33/
SH256 hash:
0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e
MD5 hash:
abcf7824b477074db7ac154a80d1e329
SHA1 hash:
9c6982829bff318776560846de7bcc39d3c16f7f
Link:
https://www.unpac.me/results/ff03e0bd-4825-41c8-a81f-63eed2c3fc33/
SH256 hash:
8bf6edb5335310207a74fecfd6bfadd9648f75ef292ca10c08697364d4d837c4
MD5 hash:
6b46da8baf1ff7401dee7bf7549f4139
SHA1 hash:
9c4f11b76585da52300cb74ae62e1a5d9b968e57
Link:
https://www.unpac.me/results/ff03e0bd-4825-41c8-a81f-63eed2c3fc33/
SH256 hash:
fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58
MD5 hash:
b814f8c032adf1fa13acd72cb2364ebf
SHA1 hash:
4537ce54c89000cf74e7d52aaed185d063781779
Link:
https://www.unpac.me/results/ff03e0bd-4825-41c8-a81f-63eed2c3fc33/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fbcdf1532a2095924283e9d60f013d107036cdebce2772bfaf41b429931fdf58

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/274375/

Comments