MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b
SHA3-384 hash: e3dc26805e56e4aba398e36048a43f626ecd99d9bd9cc3556bc160e367f7bd7362d5f60c44bd54c183e056c720f70106
SHA1 hash: 1deb5ec792eb49faed7da5afebed7353e3d321ff
MD5 hash: f93d2489f2c5031032ce62e3d6fb07d1
humanhash: cat-kentucky-high-july
File name:CTM arrangement_xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:248'788 bytes
First seen:2022-03-30 02:17:49 UTC
Last seen:2022-03-30 13:19:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmlzg8QAOwD8MC9g1my/iLUqqMZ6ykPpXPmB8/O+:HNllzgLAOwAhbLUqqSkPpfmO/z
TLSH T14B3412853780C9B7DC522B312E3659AB4AFA263540B1430F8B75BB187E77583BA1F742
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259494/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.12344.5721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12032/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed python shell32.dll
Link:
https://www.filescan.io/uploads/6243bddb1f204239484fae62/reports/b2427128-0080-455b-8e6d-0e6292b2d697/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc00b9f9-89b8-4346-9cde-4fe9cb42c9c6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967273
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 599764 Sample: CTM arrangement_xlsx.exe Startdate: 30/03/2022 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 11 CTM arrangement_xlsx.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\hlivc.exe, PE32 11->31 dropped 14 hlivc.exe 11->14         started        process5 signatures6 63 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->63 65 Tries to detect virtualization through RDTSC time measurements 14->65 67 Injects a PE file into a foreign processes 14->67 17 hlivc.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.laraphim.pro 185.53.178.54, 49858, 80 TEAMINTERNET-ASDE Germany 20->33 35 www.nkw8817.cfd 43.154.50.22, 49811, 49834, 80 LILLY-ASUS Japan 20->35 37 www.h4q7pzz.cfd 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 cmstp.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 02:18:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=coigmtet5h2ajv3bcvn6533665lik7iqriiaw4wrvmkhm2q2dynq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:an52 rat spyware stealer trojan
Link:
https://tria.ge/reports/220330-cq92ysefc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
0fdd4283e22c1c83811ac3b7d35a76259663c58303bdeb94c02b8ad85cd100d2
MD5 hash:
546018d5b5f03853ec8f71b64d4a240a
SHA1 hash:
606f3a0cd50f201e573f86e6f81db306826679bb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/768116ac-b652-449f-992e-c47f7fdf65b8/
Parent samples :
5297d79e8c5477e872646905da36e71b4a40f9d801f34b6e4521932981f1e9c7
1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717
1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b
402b63c8c33dd311c5b62edba93c1ffc5964c15faa5ad2de35bbe40d26e3bd0a
SH256 hash:
b2e3bb21c8025f47119eefb1f5330784a6e87a71ad85cc4fd89ca8ee56df1b73
MD5 hash:
7f44d96be88d4fe1b364c33fffd9992e
SHA1 hash:
0e906b6659427d8dafe967f5d481bfb6fe40484e
Link:
https://www.unpac.me/results/768116ac-b652-449f-992e-c47f7fdf65b8/
SH256 hash:
1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b
MD5 hash:
f93d2489f2c5031032ce62e3d6fb07d1
SHA1 hash:
1deb5ec792eb49faed7da5afebed7353e3d321ff
Link:
https://www.unpac.me/results/768116ac-b652-449f-992e-c47f7fdf65b8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1390664c93e9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/259494/

Comments