MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce
SHA3-384 hash:	d01f1584689f698f797a156f70cee1d47f3f72d25e580f98c0445345ea27a40c3d28e18a62c3feb3503c33b85962cffd
SHA1 hash:	b87726c285fd5f3a2ec917319e568a3f854c0002
MD5 hash:	445adbafac01715f7768ee4884ad8160
humanhash:	foxtrot-table-fillet-chicken
File name:	New Order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'049'600 bytes
First seen:	2021-04-01 05:46:02 UTC
Last seen:	2021-04-01 07:56:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:39aOstnvyx6yQOpkrgCVTbaakxaM9qBxaM9qx8lehJYFveXsMAuiCvTX:tKtnQKHTsxF9SxF9AvJYFv2piC7
Threatray	4'492 similar samples on MalwareBazaar
TLSH	F0257CB9B3E1F6B9C5148A3199227C7053F04DA3D931F696ACECF9E0C530EA91F1A146
Reporter	cocaman
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Order.exe

Verdict:

Suspicious activity

Analysis date:

2021-04-01 05:53:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/df9c5af7-808c-4996-8b88-fe548682e0fa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/130442/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Kryptik.4f856d97.26416.6457.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/661612

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-04-01 04:45:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cgimwzwxgeey375rtldyy5dolvy6ev4dsiodxnxwbk2rgmrtwpha._file

Verdict:

malicious

Label(s):

formbook

Formbook

6116dfa4c8a11409b07bf99e7be47096aa08b0891e730c70f3b1c2c9fabd0fe9

Formbook

7298ca6edb5f8ea41d3d1cb2fd50768a50db1749e75c9a2f39a6dc1cd3a1ddf2

Formbook

a677db1e19ef0ff96a19fb973e8505296ca98d69c2eb7f97c18f097b6786f9b7

Formbook

a86f792a5a3d424b756508cb462d3ca9b454f2513a5471df5d41da33649748e9

Formbook

bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b

Formbook

c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23

Formbook

d9bdfeb51aaa4192014f7263a7613a7cc812d3e7fbfbf5fcee5458ca1e58c04b

Formbook

f12df428fa830292897aabb6f73c5ecf96e855e278c3320e21e45629c84bf9ef

Formbook

fb1efc79e627fcc4485b3bbde9d948f673172715a7fb165f373f79ba31671fb8

Formbook

+ 4'482 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210401-vsrtt4a61a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.miasjewelrycreations.com/nkt/

Unpacked files

SH256 hash:

1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce

MD5 hash:

445adbafac01715f7768ee4884ad8160

SHA1 hash:

b87726c285fd5f3a2ec917319e568a3f854c0002

Link:

https://www.unpac.me/results/32757e6a-5cdd-4ffc-9a3a-1e1b4b0caacd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 72c1771b872c9fdd4f61b0a78caaa0728f235ec0237271caef24d7bf07a58706

Formbook

exe 1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce

(this sample)

Delivery method

Other

Dropped by

SHA256 72c1771b872c9fdd4f61b0a78caaa0728f235ec0237271caef24d7bf07a58706

Cape

https://www.capesandbox.com/analysis/130442/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample