MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf
SHA3-384 hash: d79d0dc9473035578178329e2326d0ce28987fc0f5c2e1de707a4e2bffb8359000363910e6dab1eb546f3ff3f7c3bc90
SHA1 hash: e1dffbad96e96d32870b55a77b197c7095c421f7
MD5 hash: bb2edd99a1dad9fb9939097093d05d7b
humanhash: paris-fillet-golf-ceiling
File name:SecuriteInfo.com.FileRepMalware.19152
Download: download sample
Signature Formbook
Create hunting rule
File size:1'388'032 bytes
First seen:2021-02-02 12:18:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:KAcpyX8qvMsigB3ba2eKQZGCI2KXlcronUzeiCRfY6AzkkiuRKT4y:KAp8qkngBm2eFG6FoYehmquRK/
Threatray 288 similar samples on MalwareBazaar
TLSH B7553F41BB7087ADC451F37F96EBA31A13A2F4F78620979367491FB1D8D10D2784EA88
Reporter SecuriteInfoCom
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA 2.doc
Verdict:
Malicious activity
Analysis date:
2021-02-02 08:05:42 UTC
Tags:
ole-embedded exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/191cc6f2-faf5-41eb-bed1-8e44fa1a7066

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115145/
Detection(s):
SecuriteInfo.com.FileRepMalware.19152.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/596583
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 05:59:06 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkdevimmrtcr5rglkfjcjjgvdwl6hgho65jmkn7hgcgvfcl3mg7q._file
Verdict:
unknown
Similar samples:
044c7600a63f48d98d55a52953fb22799e846d32b74fd9462a03b146747813e9
Formbook
7ed52ad664825ac1786dd750f086f18e2be484245c9a3f3cb51bdce8fa84aa5f
Formbook
842cda0e7609203f715a06b9eb524bd82593ad4dfc4d5cc1c7754cff47ccda29
Formbook
9bb2525c48049ffd05b8ad6a39a89245b6a4de4914275fcfad2beee8bfaa714d
Formbook
adf3f47687c15c048c4c909e95c5c2c17187259832ebbab51b6a0b2c5e5f588e
Formbook
c7a2fcc718b3adeedee6e215f17799f22662a66c5c8e08af94ea641e9e909b8d
Formbook
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
Formbook
d21f7c6f8a4fbbb00973d1ed40f4c9ca33920aaca079b70ff298db4e74b56134
Formbook
f17b941e86a7ba90d1452291d8357a8d02519d9ad1062d4c4a7fbf311a2499e4
Formbook
fcad0e5581e86e8359e00997302140bbaa37fed5240db35291404c9b16a9fc0f
Formbook
+ 278 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210202-g24wp1fzxj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.unitedfootballcamps.com/bf3/
Unpacked files
SH256 hash:
49dc26861fffee2f6440e56a10b7086ea305d2f16bb9e27ba3e08b9893557f86
MD5 hash:
e732cd6decfed3503b4020899d5a56f9
SHA1 hash:
024c1bf147c698e92aae340bbee323601d02a787
Link:
https://www.unpac.me/results/042f57b0-0b9f-4ea1-b73e-d4d050855913/
SH256 hash:
c06d4e3d0205d9bdd4a4b40b8da710d698b3a5d73a1626c9ca058c10b2c6d00c
MD5 hash:
7f67414b3fd29299f2d29ad7c2afb995
SHA1 hash:
2ec40d57c08c47433a6d044d271d74005dddae8d
Link:
https://www.unpac.me/results/042f57b0-0b9f-4ea1-b73e-d4d050855913/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/042f57b0-0b9f-4ea1-b73e-d4d050855913/
SH256 hash:
e2b5646e959fcf2f6ed994780262e65c16cecbc9d3421ada3239f26130ebe8d1
MD5 hash:
7a13d5b7628956f87cb4f24b3e66ff5d
SHA1 hash:
5a2a3e4a70a7ef67180b6dea2273c9c3ae162f9c
Link:
https://www.unpac.me/results/042f57b0-0b9f-4ea1-b73e-d4d050855913/
SH256 hash:
108d3fa3409a45ceeb1ee0309ea6c6369e9fd2f08daf3225eb5fe9f76af0972e
MD5 hash:
e0688ccabc0c88ebf3bde75ae545fdf4
SHA1 hash:
7b695314193062db288e505950834f35b3ff3336
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/042f57b0-0b9f-4ea1-b73e-d4d050855913/
Parent samples :
a68a5c0f7b3fcd4b0da8f24992a3d4d020e72d630e83947de700a02688fce48b
ed9c5c6d05892ce64f553810dcb3e3f2e8f0f58d46888bbfeeb744e89dd1cf8e
77d1e1c8c87b166c88ab728ff9830a8c7c2da67ce68a5348846fdfa1be8183b3
dd2338c1c8e798e8428bbd62513e3ca5aafb8d238a01e67e32330c7e383f2c1f
33b922d5874f3914984da8e1db4674fe7186e256d8f5acd1aa1a20d86a87ebcd
25cd952df9c74033229ec91a5da330e392390ca6120db46d9ab21d3120c9011c
d6c54588834faae60153c6a2e7318a7e9f243b9dbfbd6e0fc44d45f4d55c9fcf
110c39365be1d4d0307080c7a264654fa63725b7e99dbc271d8dedaa10300217
1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf
57f501264360e52cdc77696ff96c77b47ecad9ceb41cd0210cf2f3809bebafc8
fdf3aa0df3a0d4a6d053c55b970ad22f71f5db88f2da4f94bc18f1926b731f1b
720ffc99aa96c665aae27db46f776476c37ca113db207790579adfd81c73ad05
SH256 hash:
1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf
MD5 hash:
bb2edd99a1dad9fb9939097093d05d7b
SHA1 hash:
e1dffbad96e96d32870b55a77b197c7095c421f7
Link:
https://www.unpac.me/results/042f57b0-0b9f-4ea1-b73e-d4d050855913/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1a864aa18c8cc51ec4cb515224a4d51d97e398eef752c537e7308d52897b61bf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/987609/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115145/

Comments