MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
SHA3-384 hash: 5857a3ad9a7b7b73ace8eadb417cacec3cb69f59d43dd963932f014013cbfeee92b1a235b8026c056636f2c948be12ec
SHA1 hash: a8fbc87c776ea5b64d4aa292fca488e785207fef
MD5 hash: 7b205f9d9573800b94b1547e24f0dbef
humanhash: lima-delta-social-ohio
File name:7b205f9d9573800b94b1547e24f0dbef.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:417'280 bytes
First seen:2021-11-19 08:40:25 UTC
Last seen:2021-11-19 14:03:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Efpt3meG/Rtjx075Ao3pRtR/sKTv7Ksjzsoen0t+DJK2qA:kpd8x0FnwORnso0WL
Threatray 11'369 similar samples on MalwareBazaar
TLSH T1879412006B980B2AC2BF4F7C51792121137A72096D33E32E5EC075ED592779A8B66F73
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER 19202111.doc
Verdict:
Malicious activity
Analysis date:
2021-11-19 06:58:11 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/de66e801-54b6-435a-81c8-7fd438994839

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.45775.3281.29433.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619763202695a62af9f3aeba/reports/b7f64dd6-fea9-4fbb-9539-3c54f73a8c07/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9aae7817-bdd8-4e88-aa24-6f3af855fe1f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892532
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525007 Sample: yyXRySqkOL.exe Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 28 www.milfhackers.com 2->28 30 www.788027.com 2->30 32 parkingpage.namecheap.com 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 10 yyXRySqkOL.exe 3 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\yyXRySqkOL.exe.log, ASCII 10->26 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 14 yyXRySqkOL.exe 10->14         started        signatures6 process7 signatures8 52 Modifies the context of a thread in another process (thread injection) 14->52 54 Maps a DLL or memory area into another process 14->54 56 Sample uses process hollowing technique 14->56 58 Queues an APC in another process (thread injection) 14->58 17 svchost.exe 14->17         started        20 explorer.exe 14->20 injected process9 signatures10 34 Self deletion via cmd delete 17->34 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Tries to detect virtualization through RDTSC time measurements 17->40 22 cmd.exe 1 17->22         started        process11 process12 24 conhost.exe 22->24         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-19 03:34:55 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
418718725035504832c3febfb2372a9a5bb117d9811dcc67d1f290f8dd9900f4
Formbook
425d46c51bf681a37b1f34a602ebf6c7f571060bf698e70f2fd495169f804f92
Formbook
5aad7a3f3d55c4741d8a79b59e0e9f922d375adab9f998ababc03a88a2feb27c
Formbook
754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
Formbook
8ddc14ac94185fbe27b3764fb4e24fd8c25626a465074e8f640955a6f3409c08
Formbook
dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
Formbook
f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729
Formbook
f6c1dc28509953d4c7df0cd272714f2ba3de92f85b2ba90d071710580f1df635
Formbook
+ 11'359 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ob7y rat spyware stealer trojan
Link:
https://tria.ge/reports/211119-klfljscgh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.metanewsroom.net/ob7y/
Unpacked files
SH256 hash:
2da5a77c6251c64099055f36662277c298c83062c5c14dfdd5089319ce85a053
MD5 hash:
a766f9394fe7d0012da3ec32f533f081
SHA1 hash:
428115ad57dcbc26b22c151419509827f31882fa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/59edcfe7-72f8-4cbd-8670-06573ca480fb/
Parent samples :
754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe
SH256 hash:
d781738968db993b4d2b3e9826e90d65f45f30a6c3b115e3dc9027808fdd55d6
MD5 hash:
b4bce74b6b961748e9e612d4898a8c57
SHA1 hash:
ad3cdfae90779c9a0567a1a51ee6c364e71e6243
Link:
https://www.unpac.me/results/59edcfe7-72f8-4cbd-8670-06573ca480fb/
SH256 hash:
cc5c5860e83b708cd158454165cbeb714767119946049de5aa7677685be75c14
MD5 hash:
83cbea4dec6e5b64a85ee9b6f9ff7598
SHA1 hash:
5c1d12b792c32ba73b7bf2634da5e4d9fbcd7d4e
Link:
https://www.unpac.me/results/59edcfe7-72f8-4cbd-8670-06573ca480fb/
SH256 hash:
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
MD5 hash:
7b205f9d9573800b94b1547e24f0dbef
SHA1 hash:
a8fbc87c776ea5b64d4aa292fca488e785207fef
Link:
https://www.unpac.me/results/59edcfe7-72f8-4cbd-8670-06573ca480fb/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fd2a0d7069cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1797602/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207556/

Comments