MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd2101a42ef662f15d35aac5066a8c8feffebab9c63f673a3e1d1f64c9626fbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd2101a42ef662f15d35aac5066a8c8feffebab9c63f673a3e1d1f64c9626fbe
SHA3-384 hash: ddb5f31c5cd1c0a687c6f0f5d82cce860815258ba48d745ec284ce3b535555dfa7aa9abbb86398461473523e79bc68ca
SHA1 hash: 5f095b3833258b0559a94103af8d50b82bac6531
MD5 hash: 4fedd27de997dbd93d9322df27dbd7ef
humanhash: delta-item-queen-carpet
File name:4fedd27de997dbd93d9322df27dbd7ef
Download: download sample
Signature Formbook
Create hunting rule
File size:464'896 bytes
First seen:2020-10-25 18:44:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/9EJ9wt2L2C1Iz0i1h4L9v3LtMwqTGTq:/4YC1Iz0ikZBlPe
Threatray 2'727 similar samples on MalwareBazaar
TLSH 13A4CFB57C96596EC96E077550A984C1FABA16C73FA0CB0D719B430C0F11A2BFB2325B
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/76702/
Detection(s):
Win.Packed.Vuvazi-9783590-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/510317
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 304282 Sample: y7oVup6fp7 Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 3 other signatures 2->39 7 y7oVup6fp7.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 27 C:\Users\user\hdhnij.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\Temp\...\Xxl.dll, PE32 7->29 dropped 31 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->31 dropped 51 Drops PE files to the user root directory 7->51 53 Tries to detect virtualization through RDTSC time measurements 7->53 15 cmd.exe 1 7->15         started        17 hdhnij.exe 2 7->17         started        19 hdhnij.exe 3 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        41 Antivirus detection for dropped file 19->41 43 Multi AV Scanner detection for dropped file 19->43 45 Machine Learning detection for dropped file 19->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 process8 signatures9 49 Creates an autostart registry key pointing to binary in C:\Windows 22->49
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd2101a42ef662f15d35aac5066a8c8feffebab9c63f673a3e1d1f64c9626fbe/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 18:34:09 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uqqdjbo6zrpcxjvvlcqm2umr7x75ovzyy7woor6dupwjslcn67a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
a0c73c5e7d039898c297b3e6d1c48bc7c32eae93a24b731a0c21717925dba028
Formbook
a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682
Formbook
c5eddcaa83e4167df259033ee45a3624c5a700877aac6bc54dd46d1a3a1aacbd
Formbook
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
Formbook
f2cb02b3c504a4db0b43f79aef0d63398d9b984ee84d07acd690a448b63b5636
Formbook
+ 2'717 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201025-bvh6ty3dxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.cpa-fukugyo.com/nh6/
Unpacked files
SH256 hash:
fd2101a42ef662f15d35aac5066a8c8feffebab9c63f673a3e1d1f64c9626fbe
MD5 hash:
4fedd27de997dbd93d9322df27dbd7ef
SHA1 hash:
5f095b3833258b0559a94103af8d50b82bac6531
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
30da128eb270e916e739f1f143e1978835fe02d8df70ec0bdc055c1b7d43c9ba
MD5 hash:
3bb97b0a8e2f1bbfdc24217e6479fa56
SHA1 hash:
0726cd392b8cd65c68459f8926fcab6a892c99c3
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
SH256 hash:
8946ac59edb69021d9aecf51b2a2dbc78cdd8541fc96439555ab9297121ef320
MD5 hash:
ad8cfa57cc2eb07773e9edf7eea4a2b8
SHA1 hash:
2167cece86c7c9059d2fed02d35a02895a2a1805
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
SH256 hash:
b0010b0578358f56c7b1d9adc83b535675a45091a01e42acffc16cf3fed6b741
MD5 hash:
64617cafdd443398201a6037f557e9ba
SHA1 hash:
2b3f54cfce7af1d532382c862601cab5405aa255
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
SH256 hash:
279a6da495714fc794cebb17863879b30b64ec631932eeaba8713f9030ae82c4
MD5 hash:
6baeee30e6258ff66e18c0286c704cef
SHA1 hash:
71a0c018f5a431ee45d098b7739b6576efb07b7c
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
SH256 hash:
f83dba10922f6df42c5c90c1ca3688381a71a25d56e8ebac9fadbe529f99dd9a
MD5 hash:
26ee09f787fda7ef3fccc8cab5aebe5c
SHA1 hash:
bc8870eaee57ec7ccd2745e8c25b08b8f7135831
Link:
https://www.unpac.me/results/0076955b-adab-49c3-888b-2bf457ab78a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd2101a42ef662f15d35aac5066a8c8feffebab9c63f673a3e1d1f64c9626fbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/76702/
  
URLhaus
https://urlhaus.abuse.ch/url/723346/

Comments