MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d
SHA3-384 hash:	4152dcdbb88f6dbd6b3a29f57dea4c74fd8168a1d5b029af4f54c4acf4ad209c60a320f09794d14e816c84897b155f97
SHA1 hash:	5aa235ca7e1e3ffcdb8bb5117e81f88dcaa77767
MD5 hash:	c45c00db088c9266dd8fa1286c3dc9c2
humanhash:	april-sad-iowa-carpet
File name:	0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d.bin
Download:	download sample
Signature	Formbook Create hunting rule
File size:	180'736 bytes
First seen:	2022-07-22 11:04:31 UTC
Last seen:	2022-07-22 11:57:53 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:UGsItlaumo9AIhW3JVprEl8dRmUssnZwidpsOdIygRfL3A:ttouN9AIOVpASiUssnimIygRk
TLSH	T146048D32E701C071E3B242F5B26D1BBB843E1C343265A096F7E61A916EE09E5B56D31F
TrID	34.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 23.4% (.EXE) Win32 Executable (generic) (4505/5/1) 10.7% (.EXE) Win16/32 Executable Delphi generic (2072/23) 10.5% (.EXE) OS/2 Executable (generic) (2029/13) 10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	KdssSupport
Tags:	exe FormBook

KdssSupport

Uploaded with API

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d.bin

Verdict:

No threats detected

Analysis date:

2022-07-22 11:15:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/046e8cf3-510c-4ee4-8211-85cf96da27c9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293368/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.48175.7535.21858.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed virus windows xloader

Link:

https://www.filescan.io/uploads/62da84e40e298a94f3ed47f6/reports/498be22b-7d87-4f23-be2d-b076453845ec/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e1c6a985-5acc-4514-b804-c9a6c1e619e7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1039167

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses dynamic DNS services

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

xloader

Link:

https://mwdb.cert.pl/sample/0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-22 11:05:07 UTC

File Type:

PE (Exe)

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bscw44zb4hoi6ornvty75mfickbx3aq3qj7tps6wyei7djbxbngq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220722-m6t1saeff3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d

MD5 hash:

c45c00db088c9266dd8fa1286c3dc9c2

SHA1 hash:

5aa235ca7e1e3ffcdb8bb5117e81f88dcaa77767

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/81c899c8-a285-486b-ad26-652e1b9e9b67/

Parent samples :

751ed5e8f8034a97085df7f889e6269364111b1a49ae8d89be71232cb03b04f0
6e4f0f6801e6dab5b20618dd2b1588cb0ea9662873907c6c2685c6c6c1c5227f
17986f73309258ece680ea20d2008a36b4a79d5759cfb3ba0269f0e697d49085
6ecc41234c9c627fb864d3de10169477884aab6d62c199141a1b1b2da8b7ff8c
0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0c856e7321e1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 0c856e7321e1dc8f3a2dacf1feb0a812837d821b827f37cbd6c111f1a4370b4d

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/293368/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample