MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086
SHA3-384 hash: e419d450d382d60063d02722da52dcbd130d7bd73d2bd4fd20eacda8a0fa39d92840bf67e566c49b35a43f114d34be33
SHA1 hash: e96e1f8f1748e97f6c76e742e2476cffb85e3a9b
MD5 hash: 06d52303ed1b2e8cc1e1c9cc04f03f3a
humanhash: monkey-cardinal-nine-quebec
File name:Urgent December Rfq #34567745.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'084'928 bytes
First seen:2021-12-16 05:17:16 UTC
Last seen:2021-12-16 06:48:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:pcgIWnx8ZJaOULONuUXaq5qLpKS+NtX/6GA07ZNMpxjsK2:p//n4asX5c+SGA03W2K
Threatray 12'261 similar samples on MalwareBazaar
TLSH T1123522507BE29109C36A4F376A22A400337AB90A7E16CB8F3DDC758C566F7D90583B67
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214434/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1130.955.9412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61bacc0e81d232372003db05/reports/ee8c1718-ebea-4123-bb12-8e44af9538b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3823b3a-e5e7-4c34-b2cc-66f5f2c5b03c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908255
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Sigma detected: Suspicius Add Task From User AppData Temp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540733 Sample: Urgent December Rfq #345677... Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 14 other signatures 2->43 9 Urgent December Rfq #34567745.PDF.exe 7 2->9         started        process3 file4 31 C:\Users\user\AppData\...\JXuaUTBOhWja.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\tmp3246.tmp, XML 9->33 dropped 35 Urgent December Rf...4567745.PDF.exe.log, ASCII 9->35 dropped 45 Writes to foreign memory regions 9->45 47 Adds a directory exclusion to Windows Defender 9->47 49 Injects a PE file into a foreign processes 9->49 13 RegSvcs.exe 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures5 process6 signatures7 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 2 other signatures 13->59 20 explorer.exe 13->20 injected 22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        process8 process9 26 rundll32.exe 20->26         started        signatures10 51 Tries to detect virtualization through RDTSC time measurements 26->51 29 cmd.exe 26->29         started        process11
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 17:52:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75exfhywmyziqyueudxz4xqiifiqs2wmdkt6ipbvh2jc4l53ccda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14642e431716be5f43044de68f915037e0358a401f59e490f5370cc5563a1a23
Formbook
1ee20ec28c5649c69a2cab43e7f7e99d9f6c839cc5ae5ed2e279281682fe3b53
Formbook
24020c0cae5f243c30eaee1fa84e2bf8899f1acb80a16491b7dce179d1ffe6a4
Formbook
2c74b3cf30c4c89fcd341129917f850be3faf7f7f91646545e7d65106a30dfb0
Formbook
2eec14d00309c58144cc8234ebc9c5c4c9d81a3511f45830e50a3929fe2b158a
Formbook
5a415f33b3c85f8c6c11b439e675c802a1fb0f7848237707a606519172e678bb
Formbook
afa8139ef1e6cbc28ac8aa89dbd9fc2d2922724eb5749e1eed1a80c4f9813ea8
Formbook
afb0dcb294330abe26a2e2611f36441607a878844a251bea8be3e9407e238ad8
Formbook
c781169f80930851f2174df529d1aaba061c45fd7ef90c5059a7c513bfda3414
Formbook
cf8ab312ec2e263777fd777cdc2f714c18d259241bfeec9dbe6eb4ac62708f7f
Formbook
+ 12'251 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:a94o rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211216-fzaj8scadn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
729bff72d7df86950c9a03b9d5814267b5f738df9aafd27b8d25603f2a910f33
MD5 hash:
ee24f75a5a8b88bf33a08abed0b62442
SHA1 hash:
98e44fcb0767dd065d3d6e9185330243dbc1dd69
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/87f43482-3bbb-40c5-a4a2-2fa897c401fd/
Parent samples :
166eaef2a1db9235f1cfa04186b1586ddb1f81466d4a47d4a835d6fbecdaafca
ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086
ccc5b256bd8bd09fb241407caee97afda894f2a884b533f3634324e7b87da47e
8e4da8766eb5ea763138244606bbdbafd4297a332988868411194d067724e24f
34f46dda75810eb7a5f92544fdbecf589cc3633a7ef163b54f338477598af7f1
SH256 hash:
f8ee3ec61da05401295cfc650a604dc644a16a8d7afc9f090cd9f7a0d9300317
MD5 hash:
7e9f1e09d0aa634d949c26737c26ff3c
SHA1 hash:
cb6b35efc98d0656148907ce56268a964556664d
Link:
https://www.unpac.me/results/87f43482-3bbb-40c5-a4a2-2fa897c401fd/
SH256 hash:
e9fd00a9eb4471663889380581c5c4716834e5a2f8f9dfe77404ea1fcd02bab6
MD5 hash:
68d08b4a2b134400b628827fe7d2b3d4
SHA1 hash:
85b4a67fba9a6b1b2b93321319cda8ae99536e4e
Link:
https://www.unpac.me/results/87f43482-3bbb-40c5-a4a2-2fa897c401fd/
SH256 hash:
ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086
MD5 hash:
06d52303ed1b2e8cc1e1c9cc04f03f3a
SHA1 hash:
e96e1f8f1748e97f6c76e742e2476cffb85e3a9b
Link:
https://www.unpac.me/results/87f43482-3bbb-40c5-a4a2-2fa897c401fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe ff49729f166632886284a0ef9e5e084151096acc1aa7e43c353e922e2fbb1086

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/214434/

Comments