MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 188e88b01bc05b9e23ce3133471d99ecaec9515404faa787f745fc70bafe4656. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 188e88b01bc05b9e23ce3133471d99ecaec9515404faa787f745fc70bafe4656
SHA3-384 hash: e3aca2fd7b4548f53640d4e6a3d6d4c72eb7f4619fde890f1e87970f81e77398881c3d47c7bec4eb5dfc352dfb63f07d
SHA1 hash: 963c23acc475923d79ed8a3d17ca183fcfbf084c
MD5 hash: cfa809c8fb2550c63f63136893075d04
humanhash: pizza-saturn-romeo-jig
File name:MAILER-DAEMON WEBMAIL ERROR MESSAGE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:45'568 bytes
First seen:2022-04-19 11:48:40 UTC
Last seen:2022-04-19 21:57:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:9fx2TR75NJpie1Tffffff9fQkulaieMwCKPkH2S3dd0hUADka6a9:X2TlFclMMwCKa3deVDX
Threatray 15'002 similar samples on MalwareBazaar
TLSH T1E223095A78965619C5D47BF969B0A2931236BCE10124C14FECF9BF29AE73323CCC216D
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter cocaman
Tags:exe FormBook


Avatar
cocaman
Malicious email (T1566.001)
From: "Mail Delivery System <mailer-daemon@server200.serverange.net>" (likely spoofed)
Received: "from server200.serverange.net (unknown [195.133.18.248]) "
Date: "19 Apr 2022 11:12:38 +0200"
Subject: "Mail Delivery Failed: returning message to sender "
Attachment: "MAILER-DAEMON WEBMAIL ERROR MESSAGE.exe"

Intelligence

File Origin
# of uploads :
4
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264602/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.11583.15602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Searching for synchronization primitives
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/625ea1afffe27d51190b3bb6/reports/a9c3a267-9253-45f0-aee9-2df2e70deb60/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58380ad2-1d9e-418c-b1d2-f34d08f04c78
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978809
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611296 Sample: MAILER-DAEMON WEBMAIL ERROR... Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->39 41 5 other signatures 2->41 9 MAILER-DAEMON WEBMAIL ERROR MESSAGE.exe 15 4 2->9         started        process3 dnsIp4 33 ragdollpiercing.co.uk 69.49.247.204, 443, 49760 UNIFIEDLAYER-AS-1US United States 9->33 31 MAILER-DAEMON WEBM...ROR MESSAGE.exe.log, ASCII 9->31 dropped 13 MAILER-DAEMON WEBMAIL ERROR MESSAGE.exe 9->13         started        16 cmd.exe 1 9->16         started        file5 process6 signatures7 47 Modifies the context of a thread in another process (thread injection) 13->47 49 Maps a DLL or memory area into another process 13->49 51 Sample uses process hollowing technique 13->51 53 Queues an APC in another process (thread injection) 13->53 18 msiexec.exe 13->18         started        21 explorer.exe 13->21 injected 23 conhost.exe 16->23         started        25 timeout.exe 1 16->25         started        process8 signatures9 43 Self deletion via cmd delete 18->43 45 Maps a DLL or memory area into another process 18->45 27 cmd.exe 1 18->27         started        process10 process11 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/188e88b01bc05b9e23ce3133471d99ecaec9515404faa787f745fc70bafe4656/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 09:26:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dchirma3ybnz4i6ogezuohmz5sxmsukuat5kpb7xix6hbox6izla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
232a16efaec47e6d4fc8f5318ed9d9d58198daef519f30a5d9147d38f293638c
Formbook
5f8d69976e4d3c9b6508cd376dcab4971a605d8d1122952ad604f7b48d2ef1e1
Formbook
61ee0cca6d45766ecfedcfafba7f2e57d8fc2f4ee9b42bce3e7ffe5848c071f9
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
da30dd86e912cbfcf0cb4306265cedf47604891dc868db7c59dd92d47ad32063
Formbook
da90895ec14c13c733ba3550194ab36a4c64130c5c2b2038c163dff0c505b3e3
Formbook
e5b723d9a13e6fec23839823866253128dbe758c31082616ca89cf55d35a3998
Formbook
+ 14'992 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:fk84 loader rat suricata
Link:
https://tria.ge/reports/220419-nyz3haefek/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
188e88b01bc05b9e23ce3133471d99ecaec9515404faa787f745fc70bafe4656
MD5 hash:
cfa809c8fb2550c63f63136893075d04
SHA1 hash:
963c23acc475923d79ed8a3d17ca183fcfbf084c
Link:
https://www.unpac.me/results/c8c170b3-71de-4849-9b60-dcd95c971db7/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/188e88b01bc0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/188e88b01bc05b9e23ce3133471d99ecaec9515404faa787f745fc70bafe4656

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar e177b2bdb97a1afb16897c994ec46dc6ecdd1e686d7c8058cc7607411d4cdedb

Formbook

Executable exe 188e88b01bc05b9e23ce3133471d99ecaec9515404faa787f745fc70bafe4656

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e177b2bdb97a1afb16897c994ec46dc6ecdd1e686d7c8058cc7607411d4cdedb
Cape
Cape
https://www.capesandbox.com/analysis/264602/
  
Dropped by
MD5 006cd559b02c0f4ef0df7e2d44e52406

Comments