MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854
SHA3-384 hash: 2afd620810d5cb4940f991421558e260a00be9384290892e6220c0446d8780d6b22435a13ad2d3efc2649d3101155e29
SHA1 hash: f65919c5f2870aef555ab5c2a444995158ea146d
MD5 hash: 339d3c3bb089cfc0946c7c068928bcad
humanhash: four-batman-massachusetts-nine
File name:Inv #9098.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:733'696 bytes
First seen:2021-02-08 07:45:44 UTC
Last seen:2021-02-08 10:11:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:Bs2fyTtEqAcxSACvCeWaQ9Uw1ikr1JRHj8y0aNJRHj8y0KZi970Oz6hGyKYvFK7P:Bs2fyTtEqAASACa1rZ7KYNI/Fj6xvt/a
Threatray 4'348 similar samples on MalwareBazaar
TLSH B8F4E13736A4EF15E2BE277A08B0925093FFE9066621C35AAEB835CC9975FC442517C3
Reporter stoerchl
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inv #9098.exe
Verdict:
Malicious activity
Analysis date:
2021-02-08 07:47:10 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/ab12afb7-5b3e-4c9b-b675-a94d50045561

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116017/
Detection(s):
SecuriteInfo.com.Artemis339D3C3BB089.17547.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/601550
Signature
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349794 Sample: Inv #9098.exe Startdate: 08/02/2021 Architecture: WINDOWS Score: 100 40 www.laikaswatches.com 2->40 42 laikaswatches.com 2->42 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 11 Inv #9098.exe 3 2->11         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\Inv #9098.exe.log, ASCII 11->38 dropped 70 Injects a PE file into a foreign processes 11->70 15 Inv #9098.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 15->18 injected process9 dnsIp10 44 franmogulfranchise.com 34.102.136.180, 49736, 49737, 49738 GOOGLEUS United States 18->44 46 www.sah-ko.net 98.124.204.16, 49740, 49741, 80 ENOMAS1US United States 18->46 48 5 other IPs or domains 18->48 58 System process connects to network (likely due to code injection or exploit) 18->58 22 raserver.exe 18 18->22         started        signatures11 process12 file13 32 C:\Users\user\AppData\...\8LMlogrv.ini, data 22->32 dropped 34 C:\Users\user\AppData\...\8LMlogri.ini, data 22->34 dropped 60 Detected FormBook malware 22->60 62 Tries to steal Mail credentials (via file access) 22->62 64 Tries to harvest and steal browser information (history, passwords, etc) 22->64 66 3 other signatures 22->66 26 cmd.exe 2 22->26         started        signatures14 process15 file16 36 C:\Users\user\AppData\Local\Temp\DB1, SQLite 26->36 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 26->68 30 conhost.exe 26->30         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 02:00:33 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=clidwewfrnolkuexmxlq56zfw73uj2zam2ulxc3rzju7wkjh5bka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
FormBook
2fd6b2288864f3a099a32bd923f7b3c67db00c979aa2e46db125e104618e92b7
FormBook
3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c
FormBook
3aa4e025334bf046fc081743e11b2706827f2f50dbe50d43909c63d3de90edfa
FormBook
5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079
FormBook
6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4
FormBook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
FormBook
8c414ec076a803e04e7c01d98c79516967eec77dc8cca0ddbe236cea79ddcff8
FormBook
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
FormBook
fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
FormBook
+ 4'338 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210208-ltaa7eahcn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.entrustedhomeinspections.com/xxg/
Unpacked files
SH256 hash:
beac1f2d950ef2733c5c06d903f2747fbfc84eee92e17b908f5284cb10d8705d
MD5 hash:
985a0eecbc0823d16b4a3242731a19d1
SHA1 hash:
5412004b543ea8ecad5cd7aec4c726c10acf79ed
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/30de14c4-609d-4c2a-9ace-400284aa74f8/
Parent samples :
12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854
505f647367949d8bf6f8636f28a4376c125d5f6d2febc87b93e27075007b05c9
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/30de14c4-609d-4c2a-9ace-400284aa74f8/
SH256 hash:
8a912967e4144307fa68ed210bb9e88d32e963888300877570e7dc5942fd6eca
MD5 hash:
8a712e3ad140ada5c2e8453bf01b06be
SHA1 hash:
2930b401b1a9330fee0c5ac824d7416ff8a548c6
Link:
https://www.unpac.me/results/30de14c4-609d-4c2a-9ace-400284aa74f8/
SH256 hash:
12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854
MD5 hash:
339d3c3bb089cfc0946c7c068928bcad
SHA1 hash:
f65919c5f2870aef555ab5c2a444995158ea146d
Link:
https://www.unpac.me/results/30de14c4-609d-4c2a-9ace-400284aa74f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

ace bf2cb9bb463a7c669396bef9134fd8a9d6e3aed54bb118cd05f1b4eb009ebcd2

FormBook

Executable exe 12d03b12c58b5cb5509765d70efb25b7f744eb2066a8bb8b71ca69fb2927e854

(this sample)

  
Dropped by
SHA256 bf2cb9bb463a7c669396bef9134fd8a9d6e3aed54bb118cd05f1b4eb009ebcd2
Cape
Cape
https://www.capesandbox.com/analysis/116017/

Comments