MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127
SHA3-384 hash: 1d547e512bc4620da00eb2fe93831898c18529d72e1459ecf5c4b82b491ecd7993d9b35fbac564fcb631448f4da057e4
SHA1 hash: 0155851a42d88f779270508d28452ea70874a0fe
MD5 hash: f761004854ebeec86a0e943921a39af8
humanhash: edward-jig-arizona-one
File name:anthony.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:336'588 bytes
First seen:2020-11-30 08:11:35 UTC
Last seen:2020-12-10 08:24:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:PQLFhds8HrhwyBsDU0Oc1KF6ogUIFCdwMdk1ENWnKxi/getyEDYzkseVoYi:IFHs8HrhPBIzrlogUbOak6NIKogWEzL7
Threatray 3'627 similar samples on MalwareBazaar
TLSH 9464122237B0D8A6DFA149B03979563852FAAF9B05636B573340BB5D32B5683CE0F143
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
39
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105995/
Detection(s):
SecuriteInfo.com.Generic.mg.f761004854ebeec8.14062.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550738
Signature
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324484 Sample: anthony.exe Startdate: 30/11/2020 Architecture: WINDOWS Score: 100 40 www.trucleanusa.com 2->40 42 trucleanusa.com 2->42 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 2 other signatures 2->64 12 anthony.exe 1 42 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\Parasite.dll, PE32 12->32 dropped 34 C:\Users\user\AppData\Roaming\...\vslogui.dll, PE32 12->34 dropped 36 C:\Users\user\AppData\...\IEExecRemote.dll, PE32 12->36 dropped 38 6 other files (none is malicious) 12->38 dropped 15 rundll32.exe 12->15         started        process6 signatures7 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->74 76 Hijacks the control flow in another process 15->76 78 Maps a DLL or memory area into another process 15->78 18 cmd.exe 15->18         started        process8 signatures9 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->50 52 Modifies the context of a thread in another process (thread injection) 18->52 54 Maps a DLL or memory area into another process 18->54 56 3 other signatures 18->56 21 explorer.exe 18->21 injected process10 dnsIp11 44 starsnus.com 34.102.136.180, 49736, 49745, 49749 GOOGLEUS United States 21->44 46 springsbounce.com 34.98.99.30, 49746, 80 GOOGLEUS United States 21->46 48 17 other IPs or domains 21->48 66 System process connects to network (likely due to code injection or exploit) 21->66 25 chkdsk.exe 21->25         started        signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Maps a DLL or memory area into another process 25->70 72 Tries to detect virtualization through RDTSC time measurements 25->72 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-30 08:12:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cioomojnepdse2pjlapzrrtotuwfx57uawjd3vrasaw4cilpsetq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0a3500c94f6cf1ef29514983f480de931dbc60d094bfac655f8ec3702809bc6f
Formbook
171bb4112c7a42e6ba98bb14516a15dc2a016f970e00e0d64224b5f76ebc6a77
Formbook
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
Formbook
29d2c857add67db5ea4fa1265d6799f72436443ef37ebe6b552884f7f08c99ba
Formbook
71435231f2c9636b8286fbc31f59a95fc8a2f9a598525f4c9c65c7b1f6c3c634
Formbook
959621ed5f48dbbefe1c0e0e0a87bba88bc7a6b39cd1e10af930e1b969de9f97
Formbook
b1b3a3b2ff01c33585d2fa3eadd78741af5b421e7463450e348401be175f0a31
Formbook
cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92
Formbook
d765045d11c125be398771063fe2c5ec26b1c882099c20ca65bd0f6205c47fc6
Formbook
da8e89fa0cbec2f66ea695865de7a0eb7f9211c10aae3598490bbaec4f83ebfc
Formbook
+ 3'617 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201130-3ckrep93ma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wellnesspharma.net/94sb/
Unpacked files
SH256 hash:
335927ad4bc09b4d8946b32c1d3062dcfd8503b791d14bb6123caec33d987390
MD5 hash:
cfa573f3f0dcb786a07c9905e719af2c
SHA1 hash:
e191c70045cbfdad11633bf4191801d5e2cf7e17
Link:
https://www.unpac.me/results/949e2165-badb-468a-b066-6c3a68cef70e/
SH256 hash:
6e981ae3c91194fe4d524c8e3f75d34b9b8c980d2edbad2a6d05143e3b62646c
MD5 hash:
59d2c93ae3c2c269fc26b3ecf9a0f3af
SHA1 hash:
baab6861d2e432509f216878d79a5e58c3d46927
Link:
https://www.unpac.me/results/949e2165-badb-468a-b066-6c3a68cef70e/
SH256 hash:
fc764006b963e0c0a0e15cdc273a4491bca5e5fb2045bbbd3c79538bc0bb695f
MD5 hash:
a9c6d50aed840dc5ecb9456efb6c4205
SHA1 hash:
b85b0392743c4f0d9f94a872247a7556770757dd
Link:
https://www.unpac.me/results/949e2165-badb-468a-b066-6c3a68cef70e/
SH256 hash:
46862e0cd12555ac96a76ce1ffca06d6ef250b709e09e5c8441793d4c04e5a38
MD5 hash:
0d5fe1c95afe423b214f13e856d0f1a5
SHA1 hash:
539727bee5ba21bbf8591a4927807a7a42d9161d
Link:
https://www.unpac.me/results/949e2165-badb-468a-b066-6c3a68cef70e/
SH256 hash:
afae09aa5b7e708b885ad2a54d13db86a7a53b0c1b5b5490e7055ad859f5cc30
MD5 hash:
20712da756917c247c0b6b00bb323a92
SHA1 hash:
3839d561e4f98f90d1d6927f18da38c52c29487a
Link:
https://www.unpac.me/results/949e2165-badb-468a-b066-6c3a68cef70e/
SH256 hash:
121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127
MD5 hash:
f761004854ebeec86a0e943921a39af8
SHA1 hash:
0155851a42d88f779270508d28452ea70874a0fe
Link:
https://www.unpac.me/results/949e2165-badb-468a-b066-6c3a68cef70e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7f90b059b16049df89d9f70e80ad850bcd46663b3786ed6081ed821845c418c7

Formbook

Executable exe 121ce6392d23c72269e9581f98c66e9d2c5bf7f405923dd620902dc1216f9127

(this sample)

  
Dropped by
MD5 4b9cf5b7466defe11e6763654087fe7a
  
Dropped by
SHA256 7f90b059b16049df89d9f70e80ad850bcd46663b3786ed6081ed821845c418c7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/105995/

Comments