MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1889dc19b2876d4d9619f7cb0ccc14c0563a5b951836ddae0fc578431b15c840. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1889dc19b2876d4d9619f7cb0ccc14c0563a5b951836ddae0fc578431b15c840
SHA3-384 hash: bc52a8de000d6ff877b52f6b240e33b62a432d58886e4684f32e139263314a20bede88d98931f21d9f250baa82e55aab
SHA1 hash: 9d45be88790328f876f2e8da3e75491ea4e46fd6
MD5 hash: 403b450e6413c9b5914e6753581966fd
humanhash: failed-oregon-zulu-lemon
File name:RFQ-6389331.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:544'768 bytes
First seen:2022-06-29 13:32:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:irZfw2iN/2iNhQZPfkJKCTnRPTu7E6vh5m4O0kPRxliW1:iZfw1J1zSfkJhuD7HXkPRrh
Threatray 15'149 similar samples on MalwareBazaar
TLSH T186C412994BFD8728E6EE47F819AC611127B0B409D7D4C12ABEE412CEFD64BB44460F27
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284258/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bc54d2197c837506d0efc6/reports/b04af5db-8e46-4db5-b0c7-070771c257bc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/680c3ab3-737d-4602-bee4-5171476d6a37
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1021905
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 654403 Sample: RFQ-6389331.exe Startdate: 29/06/2022 Architecture: WINDOWS Score: 100 48 www.sharekhoahoc.net 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 9 other signatures 2->56 10 RFQ-6389331.exe 7 2->10         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\kiwYAC.exe, PE32 10->40 dropped 42 C:\Users\user\...\kiwYAC.exe:Zone.Identifier, ASCII 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmpACCD.tmp, XML 10->44 dropped 46 C:\Users\user\AppData\...\RFQ-6389331.exe.log, ASCII 10->46 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 10->66 68 Adds a directory exclusion to Windows Defender 10->68 70 Tries to detect virtualization through RDTSC time measurements 10->70 72 Injects a PE file into a foreign processes 10->72 14 RFQ-6389331.exe 10->14         started        17 powershell.exe 23 10->17         started        19 schtasks.exe 1 10->19         started        signatures6 process7 signatures8 74 Modifies the context of a thread in another process (thread injection) 14->74 76 Maps a DLL or memory area into another process 14->76 78 Sample uses process hollowing technique 14->78 80 Queues an APC in another process (thread injection) 14->80 21 wlanext.exe 18 14->21         started        25 explorer.exe 14->25 injected 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        process9 file10 36 C:\Users\user\AppData\...\2M1logrv.ini, data 21->36 dropped 38 C:\Users\user\AppData\...\2M1logri.ini, data 21->38 dropped 58 Detected FormBook malware 21->58 60 Tries to steal Mail credentials (via file / registry access) 21->60 62 Tries to harvest and steal browser information (history, passwords, etc) 21->62 64 3 other signatures 21->64 31 cmd.exe 2 21->31         started        signatures11 process12 signatures13 82 Tries to harvest and steal browser information (history, passwords, etc) 31->82 34 conhost.exe 31->34         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1889dc19b2876d4d9619f7cb0ccc14c0563a5b951836ddae0fc578431b15c840/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 02:11:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dce5ygnsq5wu3fqz67fqztauyblduw4vda3n3lqpyv4eggyvzbaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
20a01bac19d49e0d9d404e164dca9a9b101cfb3f1bd1b89ce592fc26a4c20afb
Formbook
22a97bc8516563b8d5d94ae5937f0995a2fa87bc473fa9ad4e3cd512be5d7756
Formbook
35b0d1ca273287daaadb2766c5772ef7275b4778fdd487da18d9b69f44b58032
Formbook
76dc51c2ea31d175e7bcc427655232e875b718309b444d8e6730834424faea0e
Formbook
78fdca14f99e25685ccef65e154f5c747430a955c399adb72d32cd0e364a4780
Formbook
8370746ea957582a6e53d4ffb81c864b484d73cbea2904b040375ee851bcb06d
Formbook
a9849a0f7bf5b5e1f9b967737c44ddff914aaa05b8c910e414ac759ca2b959a1
Formbook
+ 15'139 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:n6ef rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220629-qthzjahhck/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Reads user/profile data of web browsers
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
6bdabdc7b836d3a1fece1e396811f80d1c7cee8a12c0f2e0ad2a35901aed3055
MD5 hash:
692cc1fe21d91193f6d71a521378f27d
SHA1 hash:
9ed66fba34f49d42e5305e962bfc501a2ef1784e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/9707f7e2-c4af-4229-9d63-8a690b8f7683/
SH256 hash:
6235c06b60a56a7238216b1a85c27509cc9791cafcdb2a0ae1921da488ce863c
MD5 hash:
de2d58c5cecb756abc167c3c71e2fde5
SHA1 hash:
6831487e8fcd817c7f274809dd3f35b61203d370
Link:
https://www.unpac.me/results/9707f7e2-c4af-4229-9d63-8a690b8f7683/
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/9707f7e2-c4af-4229-9d63-8a690b8f7683/
SH256 hash:
c55c005b1a71e9c22f8f5c9f5594609876ee1c565b89f35afb445aa154690126
MD5 hash:
c38e4877b4e05e12bff948a3c12e2a48
SHA1 hash:
07a38351ca3f9ce516f0564eda4ea62a9a93686c
Link:
https://www.unpac.me/results/9707f7e2-c4af-4229-9d63-8a690b8f7683/
SH256 hash:
ca9e1c0d18e0463d4ccb3d2ee4577110c86a86229c582eac2abc213086a07371
MD5 hash:
181b1af87d6b8a635ce22ffbd2947cda
SHA1 hash:
058ecaab8ce219b27f25546f4ff49f8946dc2ffd
Link:
https://www.unpac.me/results/9707f7e2-c4af-4229-9d63-8a690b8f7683/
SH256 hash:
1889dc19b2876d4d9619f7cb0ccc14c0563a5b951836ddae0fc578431b15c840
MD5 hash:
403b450e6413c9b5914e6753581966fd
SHA1 hash:
9d45be88790328f876f2e8da3e75491ea4e46fd6
Link:
https://www.unpac.me/results/9707f7e2-c4af-4229-9d63-8a690b8f7683/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1889dc19b287/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1889dc19b2876d4d9619f7cb0ccc14c0563a5b951836ddae0fc578431b15c840

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/284258/

Comments