MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01dcab439656ed811b8bb194120735d6bd956f6cf747f97d0adba3b47d13daa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01dcab439656ed811b8bb194120735d6bd956f6cf747f97d0adba3b47d13daa8
SHA3-384 hash: 22597818afe24349448aeb35bfba42b8d418194a977693b0c2feef53659438feec15ba45c7f7fd7d4e15e767915422f9
SHA1 hash: 271aa3558838d1532e49cda5d694b3afbac430b0
MD5 hash: a1667c68ec2150b84c4f710e80131025
humanhash: network-fifteen-carbon-ten
File name:revised invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:953'344 bytes
First seen:2020-12-01 14:43:53 UTC
Last seen:2020-12-01 16:51:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:nG+KBip/X1l7iMF56d3dKEsHQ+B1XbtY0CwjYF1IjYP/m+35K1l8ulb/f/pxAdvX:nfp/l0MFkxmTvXndkP/NpKVCiC
Threatray 4'464 similar samples on MalwareBazaar
TLSH 131548AB311079FFCC538531CEA82C74A650AE7A431B46CEA05B95EF9A5F847CF540E2
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106254/
Detection(s):
SecuriteInfo.com.ArtemisA1667C68EC21.2106.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching the process to change network settings
Launching cmd.exe command interpreter
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/552447
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325333 Sample: revised invoice.exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 31 www.twobluemagpies.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Detected unpacking (changes PE section rights) 2->43 45 10 other signatures 2->45 11 revised invoice.exe 14 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\revised invoice.exe.log, ASCII 11->29 dropped 55 Injects a PE file into a foreign processes 11->55 15 revised invoice.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.rock-leaf.com 74.208.236.246, 49768, 80 ONEANDONE-ASBrauerstrasse48DE United States 18->33 35 td-balancer-euw2-6-109.wixdns.net 35.246.6.109, 49760, 80 GOOGLEUS United States 18->35 37 5 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 netsh.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01dcab439656ed811b8bb194120735d6bd956f6cf747f97d0adba3b47d13daa8/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 11:07:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahokwq4wk3wycg4lwgkbebzv226zk33m65d7s7ik3or3i7it3kua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07528f3c583c546d2b444b091c3ede380c6427ed0691b95294c7e32dd35560ab
Formbook
273e14710bfe15975737d9e213b6007a29cc795c993b6b121c745581ec1c4b96
Formbook
3904b8ba4d99b9e8d8b75af02e5d6de0153ef59e5f03d9b30319acbe625ff986
Formbook
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
Formbook
49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506
Formbook
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
Formbook
95deccdc9ef87962793e87e162d62c1d07c56dbae3b964d93e79c190f38183f7
Formbook
d8eca36ecff579ceffbd778ab8c8949a94d4967e1c0965988b2a68671f1915ef
Formbook
e232dc56a916d659961271caf129b47c5fa561f71ecff17f6c96801cd7b50820
Formbook
eecabbdec29294f055c109660c94db3de0ce9187461ea6f18639cf9c34883e70
Formbook
+ 4'454 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201201-rlcebzmfax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Drops file in Windows directory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.danneroll.com/mnc/
Unpacked files
SH256 hash:
01dcab439656ed811b8bb194120735d6bd956f6cf747f97d0adba3b47d13daa8
MD5 hash:
a1667c68ec2150b84c4f710e80131025
SHA1 hash:
271aa3558838d1532e49cda5d694b3afbac430b0
Link:
https://www.unpac.me/results/7ff8135b-bc01-422b-9369-18395f59bea4/
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/7ff8135b-bc01-422b-9369-18395f59bea4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01dcab439656ed811b8bb194120735d6bd956f6cf747f97d0adba3b47d13daa8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar a3cbb59f07c45339f42dc08e17888f06ab2286704f680c218a1221597af9bb3a

Formbook

Executable exe 01dcab439656ed811b8bb194120735d6bd956f6cf747f97d0adba3b47d13daa8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a3cbb59f07c45339f42dc08e17888f06ab2286704f680c218a1221597af9bb3a
Cape
Cape
https://www.capesandbox.com/analysis/106254/

Comments