MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795
SHA3-384 hash: 9117fe39022df54078f66852206342c91e1e7aedf19624a7823a85075e556ed0dac78268d5ded95f42bd42851c5fffbb
SHA1 hash: 409d119b053caff233796f2a7e8b076d14ab3df0
MD5 hash: 0f51febfd7272fb841773d04926b62c2
humanhash: shade-hamper-equal-fish
File name:caw.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:761'856 bytes
First seen:2020-12-01 15:02:45 UTC
Last seen:2020-12-01 16:52:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 084ab79676b5b0cc1ffaebcdcfdd0387 (2 x ModiLoader, 1 x Formbook)
ssdeep 12288:HYFnichEklZ6BuDkVHRN1azVxGfhL7XqZA4Iw7uibtCAt1nq6fzWrvlZf:4ichjZ6UYVHRN+fwhqptCA3Lfsvvf
Threatray 3'079 similar samples on MalwareBazaar
TLSH 8EF4BF23F2D1463BD02B0579AC1FC5E96938BF212E1868477BED5E0C4F3E692B826157
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106261/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/552488
Signature
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 325346 Sample: caw.exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 29 g.msn.com 2->29 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected FormBook 2->45 47 Modifies the prolog of user mode functions (user mode inline hooks) 2->47 11 caw.exe 14 2->11         started        signatures3 process4 dnsIp5 37 fanosethiopiatours.com 50.87.153.103, 49709, 80 UNIFIEDLAYER-AS-1US United States 11->37 39 discord.com 162.159.138.232, 443, 49708 CLOUDFLARENETUS United States 11->39 57 Detected unpacking (changes PE section rights) 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 caw.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 31 www.jhwanbao.com 154.219.133.110, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 18->31 33 www.frankrodickblog.com 168.206.179.165, 49756, 80 CLAYERLIMITED-AS-APClayerLimitedHK South Africa 18->33 35 2 other IPs or domains 18->35 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msdt.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-12-01 15:02:29 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckek4rgsrswupcx5n6xbsyle6kl3qzljo76svq2nbcvvq55fw6kq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d
Formbook
08c0c3cf921d5b4af4d261668a9c0ca41acb67610290c7f75ce4537191a9214f
Formbook
0f97d2c99964370b019145742e1d9322e9248fea3e149f00c10ca99807bcafa4
Formbook
1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3
Formbook
2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3
Formbook
3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33
Formbook
4cb957166b87af52d625fe0ae926e024db9cb6722d1cb5ade20bbf1b8ddaac34
Formbook
6d793847fa7272019425c00c17e6f84f719a74a926219a6f6a9c7d96f033fc48
Formbook
8bb7375d1d8c2236d2a43e413209831ab50f8599eabdc906143ba7742425fb0c
Formbook
d54847c7831d92a014c603f004d75828da72ed8f9d270a18023706f1bb375415
Formbook
+ 3'069 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201201-mzb3e69ana/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.themagiczones.com/llp/
Unpacked files
SH256 hash:
1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795
MD5 hash:
0f51febfd7272fb841773d04926b62c2
SHA1 hash:
409d119b053caff233796f2a7e8b076d14ab3df0
Link:
https://www.unpac.me/results/5596ab71-18e6-4e8b-a8d6-233a5915a921/
SH256 hash:
118e4551ac31bdc92e5a34c3069d5b2d8efe60ac58adc83bf2e5ee8a50b5a738
MD5 hash:
fea7f670d5ae5104140e571e68ce91c5
SHA1 hash:
e53bf1b051f2bd122b0781ef818447bcb2c09207
Link:
https://www.unpac.me/results/5596ab71-18e6-4e8b-a8d6-233a5915a921/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/106261/

Comments