MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
SHA3-384 hash: df1f3d785591a1edf89da56c4dc17537e15d2bbbb02d4004275421246026c111d4986678f81f10f5a61bf78de0810475
SHA1 hash: 621969d90672dc00e8919eb679d96ac9cbadb093
MD5 hash: 5220c8b3e8b00372558dd52a33a63b4b
humanhash: speaker-lake-alaska-october
File name:20bCH5neAKrf8xd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:847'360 bytes
First seen:2022-03-11 07:48:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mt12iN+x+nM2qnOWw4F1/MImETi+L8D6BiLSahT1jsM6Dd8+eCRsQi40BWugrAJ5:mD1MxYFqOWw4FbSvJJz8LsMuYX+
Threatray 14'953 similar samples on MalwareBazaar
TLSH T1ED05CFE0EF5883BDDC14327AC4A808701EB5199E3820FF5AA58E11DD4A17FCF59E652E
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249313/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/622afef4dfdfa8501c8a841c/reports/a48f4ae5-6a96-4ace-9f1c-b803c75045aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954715
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 587196 Sample: 20bCH5neAKrf8xd.exe Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 33 www.hokashoesingapore.com 2->33 35 www.chathamwaste.com 2->35 37 chathamwaste.com 2->37 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 11 other signatures 2->45 11 20bCH5neAKrf8xd.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\20bCH5neAKrf8xd.exe.log, ASCII 11->31 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 20bCH5neAKrf8xd.exe 11->15         started        18 20bCH5neAKrf8xd.exe 11->18         started        20 20bCH5neAKrf8xd.exe 11->20         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 22 explorer.exe 15->22 injected process9 process10 24 svchost.exe 22->24         started        signatures11 47 Self deletion via cmd delete 24->47 49 Modifies the context of a thread in another process (thread injection) 24->49 51 Maps a DLL or memory area into another process 24->51 53 Tries to detect virtualization through RDTSC time measurements 24->53 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 02:49:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 27 (81.48%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cktzywnepsm6b7c6z5rg4rpfwti2x34ip4accqew2gheqe3voi2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03231087b8d197ac9adff7250c8ceb9c1e6d604c008e5622de78d7e1fcc78c1c
Formbook
37fa31427360d762439a46e805c18146897384a73e22c02eea7612d9a92d4639
Formbook
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
3f277a6819833eb0c7feab4e952301b4bac883e38ec8bd266093b6757d1920e8
Formbook
52b3b8d10c143dd7b6dfc186bf1e1e0e3c47c3f995dec4e1e4f5f569075d9a38
Formbook
9508c04b4c1dd578c8c3b8597a68bb73548b107edcbb37f13909a18d85f78b3a
Formbook
a48338ad920df299184caed650b6105804c67269494766bdb8651f4d288b8a0b
Formbook
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
Formbook
e1a555c5a9574de6448cde29e8cd3f8312d1420e6769a31c58e4d43debad2940
Formbook
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
Formbook
+ 14'943 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rmpc loader rat
Link:
https://tria.ge/reports/220311-jnpfssgeh4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Unpacked files
SH256 hash:
f78780e73536894b81b641dd13bb07a695d4db252660ea0eb05eac4c0c0791ac
MD5 hash:
127f40bd49e98c99917ca783c4f9a043
SHA1 hash:
68844b38e9c16af99c05f81a202ae93e9866e3e9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/edf12c5d-0a1d-4b5e-8a0c-fc19ba0f43d7/
Parent samples :
44d74d198ab05ed038d6ca78530988c46fc81911a5e22bdc286049e70563d208
b3b6f6f58e9df22dda93da3c41997e4c36b48b4e8e851a217c572a0b78ce4b83
d53c0ce4893779afc24b84d79e926ba6684b2dbc549b85e8213137e2a8358ab2
555948e64ed4825dea5e57865e80d764aab3dbf4b973a223f7590ee9b72d23f5
3446a9d1fcd21b6e219220379f6b82cccf3cb967b9af1f9e91fa511e90eab639
125c8338e7cdf610f8aa3cc58db3e350997597a525f85ef6e81c38cc155a62da
04ee371bea0863aab03ca6cec8c5512522c4082654ada54991c483610df7a249
fd8161addee5162327eb1bff7dead0d9f2d8c2b6041bf2edaab964e2c38a78a0
9b4ea9f90dc0bd79331fb576e8e11bfcd1aaca5d89eed706bba28e23d81819e6
6c7bc2a0288450e984898339f779daa67583a202427e894fcb55a8c4238daae0
5c291b48b03f7208a95902a735edb8ff29b7fb241d7451b1ed0fbe49f537f3d7
40ca831a495e2c76c2de5e94c2a65fdbc91a6a59e5a5be2c86a2381166365459
43d06e86f98619000a7cc9600f95da73794070c1a541cb5cec13835600631a06
1b6f19244c3917f5c492d60071b20ec6627ca7cba830d16b8e1e45008de6823b
ebc4b771993d4f5850dcb26b20ba7f36cadd67b0f4ee05c691bddff94a6f5ee0
96a0dffa7387628ad30a6d44608812c3b79f6fd07cd8b144ce9bdd8fb4824187
fe7f81cde71cd5b66042ed13b89d0be7529cd5478f0d768181547d9bde21d519
e1754d3bb2df3b1c3c8b6448afd0e7e03b65e4d4a9fa331df40acc0acc38a408
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
7ac201d7a13b441e0e7ec03787bb6570dbb7e88ebc68f021c34f2704793e1675
de3a3c103b66a98978a8d6467d81865c78c4df0448c69c4d7c68d87dc17f7e4a
8d4069f952ab15494c3be7c5cdf0fa161641dcc5fe3a1aab978726ea585f0076
0482134079f147f5535027b2a9e3b0f0c5c841d8d1f38d59ff3e3fdc89f18b7d
d0f3311ded7e19f8d94535b66c9eb741c5d3b4eebbffe924e8c3f2982f266647
d674ad918b0c38a26ec796220f99d14147297ddc01dd8e09c9b9b0dec8998cf2
cba32f8a548cbcab4798e55a6d9c5773ae980932d021126e295a03d05f644f22
de9a953b4f1570485b65622d0255625244e10746d5d2be0384505b60b743a11e
1eb8af23658c91ba76fe9516d0a7f8a678d0122454cb837183326c5a7fb95850
293e285042ed8b51e4166782005c54d1b3c20ba5f148f90b318f3c788115e892
083e99f9a493e14a03ae5c6270873363f0da35583615ef348ea83493a8dc0efa
537d8486471b326e32f04ca8c3c3fbef3955e25722b3e271022b03d8a82f0af2
84d399a3116d4038d5730fdbae6857142c0141f042dbba9a42e8a21e1ce6448b
be51d1c2d8a30045b3fa84863ef8f5073f8ebcdac3bbdbfd483ff61365a9a2c5
fd2f3e46722baeada38453fb8307d78a6a7e590fac0bc7ac36e52e1c95747dfb
06ff0d7203bc986c93f29bba10687aaa29880e3698810b9bea8a5ac04b5ba7a3
c4f73dd9b20be2611e4947816fc9a432b8ae654c84e3e33380543ecfe3323ca1
625c5bcad021d0e8c8f0478d2bec573db81fbf5957e5f9323a481b7d1756f66e
be173845e18d050a20b0dcb71293a32651bc804afe4298225189987d45f4550b
4ac7bddd4fe25bfcc91a63d1fb9a5563af110b5485cd8d00a277938da210a2ca
873b9d986cfc2bbb91df471b4d80bfbfd40f304d7a7fab5260d3ddacd34346a6
SH256 hash:
b74ad4da960ce6965906228f2162bf1bad0488992a3bc9f82fabdbc6ffe70fbc
MD5 hash:
28e1c9ee4e2162f20ec0f8bc6a52fbef
SHA1 hash:
ef93166c6af3d1d623bf25a4f771bcbcb47938d8
Link:
https://www.unpac.me/results/edf12c5d-0a1d-4b5e-8a0c-fc19ba0f43d7/
SH256 hash:
49f8cfa97203ca57b02fc2c7af3db36e22874ecec1f8742a8826224bba9111bb
MD5 hash:
7cd797cdf4dbeb869fd4ff3321ab7d66
SHA1 hash:
4384420142982b58a8afb9e9039c4e374acde649
Link:
https://www.unpac.me/results/edf12c5d-0a1d-4b5e-8a0c-fc19ba0f43d7/
SH256 hash:
9b00e2fa33ad72dec22a5e107ab6886da72bbe0bed89a721e877c1dc3ce6a662
MD5 hash:
b4c9c16228f0ee1de70ffc6264fb720c
SHA1 hash:
437049e452a511e220abdb32df695cdf07f5a7d0
Link:
https://www.unpac.me/results/edf12c5d-0a1d-4b5e-8a0c-fc19ba0f43d7/
SH256 hash:
12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234
MD5 hash:
5220c8b3e8b00372558dd52a33a63b4b
SHA1 hash:
621969d90672dc00e8919eb679d96ac9cbadb093
Link:
https://www.unpac.me/results/edf12c5d-0a1d-4b5e-8a0c-fc19ba0f43d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 12a79c59a47c99e0fc5ecf626e45e5b4d1abef887f00214096d18e4813757234

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/249313/

Comments