MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac
SHA3-384 hash: 37dfa24202f0061c28db8b48527afe0d535322fdfaaffebcd1e490bf5ed43bf4d246be404db282172a911e9f7b1716f3
SHA1 hash: 60bcb41d5ef76af919c769fab88f53c6a623a83b
MD5 hash: cc35be28c18578d43849919ac1025d5a
humanhash: fifteen-lima-summer-speaker
File name:in.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:237'568 bytes
First seen:2021-01-13 20:08:05 UTC
Last seen:2021-01-13 21:59:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 13f6eb96e7165e986a0d233796ec15e0 (5 x Formbook, 5 x RemcosRAT, 1 x Loki)
ssdeep 6144:ouPcYfkbIjb4UG5rGbq8NP/wQX26LR47tGOjRFSB+Fhv5:oijbW5raqc/wQm6LWXj3So3v5
Threatray 3'346 similar samples on MalwareBazaar
TLSH B834F14CB241D532CAA0A1B5D324C637ABB7AD1A2234519FFF488C9613BFD51ADB41CE
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

From: michelle <michelle.sm@emecqatar.com>
Reply-To: info@emecgatar.com, michelle.sm@emecqatar.com
Subject: Invoice & Ledger SOA Reconciliation Request
Attachment: INVOICE SOA.rar (contains "in.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
in.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 04:58:07 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/7bf7180d-55d4-426d-a105-1c62b9529972

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111838/
Detection(s):
SecuriteInfo.com.Variant.Midie.78351.117.4324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Replacing files
Deleting a recently created file
Creating a file in the %temp% directory
Creating a file in the system32 subdirectories
Launching a process
Creating a file
Changing a file
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a browser process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/580583
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339331 Sample: in.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 34 www.spontaneoushomeschooler.com 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 6 other signatures 2->44 11 in.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 54 Tries to detect virtualization through RDTSC time measurements 11->54 14 in.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 198.54.117.216, 49753, 80 NAMECHEAP-NETUS United States 17->28 30 www.demenageseul.com 199.59.242.153, 49751, 80 BODIS-NJUS United States 17->30 32 6 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac/
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 20:08:17 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsorc2ufjytuknably7i5a2jnb6ayf5qczjxenscv3xfhkrzx6wa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
086d2a6e11da6e37ab46eb8d75c2eeb3d4aa825001be71e1e109b4578e5a321c
Formbook
2e5c06a91024751da7594897931a9f0ab74cbff7a6e7b497c2596e8c08f8ab7a
Formbook
37c41a797e70fef4120a5175d93835738ed9b9b85e24c912d61c7e1f96265f51
Formbook
40ab7eec94ce3cf73aecefa97bac455a951f1f4d85a71f1f75121d762488e4b0
Formbook
73d3092b1f9a4b51d169f0757e120c8bb1e7d0a650a83dc00ea0dac2204df55a
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
9190ecab05b8d87ff3eb39ccf5e723739c1740dfb1adb42670163770fa98144b
Formbook
9f5d6064f7ca561c9ebbd065a2d7f653a3dd1df31e67744f5dde208e35165959
Formbook
bcb6c59b80bb1f569619a82584bcd0f5ba4ab88ce9e777347a9a99af04ed1414
Formbook
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
Formbook
+ 3'336 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210113-q29w3n6cne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.besthandstool.icu/uds2/
Unpacked files
SH256 hash:
0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac
MD5 hash:
cc35be28c18578d43849919ac1025d5a
SHA1 hash:
60bcb41d5ef76af919c769fab88f53c6a623a83b
Link:
https://www.unpac.me/results/08924e34-0e24-4583-b076-f454ee0f4e75/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 306dbed9d5976d3969b023df3ca9688819ba4cd31f5d94c6f5005f26e4db51aa

Formbook

Executable exe 0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac

(this sample)

  
Dropped by
MD5 4195a630701c2f37f483c4ecdcb331e0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 306dbed9d5976d3969b023df3ca9688819ba4cd31f5d94c6f5005f26e4db51aa
Cape
Cape
https://www.capesandbox.com/analysis/111838/

Comments