MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments 1

SHA256 hash:	19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150
SHA3-384 hash:	516791d1923d7d695df48423fcf63738628c8c47fa870aa6d28207f06efa89d49e093eb3d0595f42c9b643a602d4facc
SHA1 hash:	e7b2b5f0faa9ec2cd7ce98d9e7f027f47e1b1ff3
MD5 hash:	97b02b6924130912d7ea27cf9f95109d
humanhash:	friend-yellow-batman-massachusetts
File name:	97b02b6924130912d7ea27cf9f95109d
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'384'480 bytes
First seen:	2022-05-22 04:10:52 UTC
Last seen:	2022-05-22 04:30:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3ec3dfdccc2e2dd2d4c62887f00d1d00 (3 x Formbook)
ssdeep	24576:+zKK65oS83EHzR+CGhB2dnLfgOdoYv117GYBZof8ND9+trh96StIbbW+jH:+zKK8HzRpGfCfgw7g8z+t1ZIbbWa
TLSH	T189551222BE82D861D43094B2C45FD7841E24F5B2ACA5266F32E41B0D9F623D73F926E5
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	9b2565696965293f (3 x Formbook)
Reporter	zbetcheckin
Tags:	32 exe FormBook signed

Code Signing Certificate

Organisation:	livecode.com
Issuer:	cPanel, Inc. Certification Authority
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-03-29T00:00:00Z
Valid to:	2022-06-27T23:59:59Z
Serial number:	5c37e321f7fa9d7df439d21b78b11e64
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d8bb6fb8ff89c0e29297630c087c8e3143de8982d475d7b2ea10e9888bb118a1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

15652172347CFAD0094984499803524AA8637E27

Verdict:

Malicious activity

Analysis date:

2022-05-20 18:11:37 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader formbook trojan stealer

Link:

https://app.any.run/tasks/774169f2-8c1c-41d9-9cb0-ad975edff316

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/273383/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19493/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

crypter formbook greyware overlay packed

Link:

https://www.filescan.io/uploads/6289b7eb370bb1455cbc8d79/reports/f971f649-f3a4-4f9e-8e5b-7caf032d8f05/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1de7bc6-e984-4c72-8546-c6b83c7c7fd8

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/999243

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-05-20 17:55:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:uu0p loader persistence rat spyware stealer suricata

Link:

https://tria.ge/reports/220522-erx5wsfbg4/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Unpacked files

SH256 hash:

050a5cfb127a824e03b0dd1c5cd8d67509544f43d82e0bef2e0c25b0763636ec

MD5 hash:

513c24a805fe1edb6e6cf86ccad70660

SHA1 hash:

c799f52c3d853d768164551b4526806eae757788

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/2a539490-b694-45e2-9dcc-e5a882c75bed/

Parent samples :

19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150
814f2e3ff651afd0a82fe2b2c953c27e8ffda9df3fd7232681da30d29573271f
69abc132bf9e2db3f8d1feac013088c9915281b17c9ac918490e10cd64d7be2f
39a3f149c23d6a96537aa6efeeedcd2dacb5d92103c736c115ef37a3054a6aa7

SH256 hash:

bdb5627d40c30900c21b749b89304d7c536298efb34eb345589f4c7ca68acc9c

MD5 hash:

a75c58fb87a5ec36445903db785835a1

SHA1 hash:

dc3439f840c1d776267deba5d28c1d55839de265

Link:

https://www.unpac.me/results/2a539490-b694-45e2-9dcc-e5a882c75bed/

SH256 hash:

b9f12a244eb92c87aee9a55712b19509b699f6d25922babbd2c2d5682f1a0b6c

MD5 hash:

b114a3d57dfc871b7bdd54a774c88849

SHA1 hash:

22f9b8ec53e781d444a7049f4bfee22955043ee2

Link:

https://www.unpac.me/results/2a539490-b694-45e2-9dcc-e5a882c75bed/

SH256 hash:

19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150

MD5 hash:

97b02b6924130912d7ea27cf9f95109d

SHA1 hash:

e7b2b5f0faa9ec2cd7ce98d9e7f027f47e1b1ff3

Link:

https://www.unpac.me/results/2a539490-b694-45e2-9dcc-e5a882c75bed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.92

Link:

https://yomi.yoroi.company/submissions/19dcc4800e5e1b9a286a94597fa408a1d90e6789896907ccf59ed4d328831150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.