MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923
SHA3-384 hash: 46685af677558653988e3f5c9bbc80785425013360797f969ce60da1d73a515f4d33de9639c1233c16f75e0043db5d91
SHA1 hash: e74ffd286ebd8a00d8dcc9443cea74c43cf66cff
MD5 hash: d2923bb080d16dc6b1e1d95ea54513c9
humanhash: florida-pizza-victor-bulldog
File name:Our confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'022'433 bytes
First seen:2020-08-11 14:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:3Qnk3GDYKGcblqZqZ8DKiiip7BuyM57gdtnSk+Kzw1GS7PjZoQ9P+rlkUFsG/XMA:5AOcZSqZaiip7on74S3KzCGIo0UBXD
Threatray 261 similar samples on MalwareBazaar
TLSH E8251242FB8188B2D4332A32683667917D7C7C205F358B1FF3E46A6DDA311902635FA6
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: franceloc-postfix.filnet.fr
Sending IP: 194.187.193.120
From: Cláudia Diniz <info@wip-hausschutz.de>
Reply-To: hg.virtucycling@gmail.com
Subject: GROUP CONFIRMATION
Attachment: Our confirmation.rar (contains "Our confirmation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43484/
Detection(s):
Win.Dropper.NetWire-9102409-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Creating a file
Adding an access-denied ACE
Launching a process
Launching cmd.exe command interpreter
Deleting a recently created file
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/419207
Signature
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 261975 Sample: Our confirmation.exe Startdate: 11/08/2020 Architecture: WINDOWS Score: 100 43 www.painlesscollective.com 2->43 59 Malicious sample detected (through community Yara rule) 2->59 61 Yara detected FormBook 2->61 63 Yara detected AntiVM autoit script 2->63 65 2 other signatures 2->65 12 Our confirmation.exe 73 2->12         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\...\qxmfog.pif, PE32 12->39 dropped 15 qxmfog.pif 3 12->15         started        process6 file7 41 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 15->41 dropped 51 Writes to foreign memory regions 15->51 53 Allocates memory in foreign processes 15->53 55 Sample uses process hollowing technique 15->55 57 Injects a PE file into a foreign processes 15->57 19 RegSvcs.exe 15->19         started        22 RegSvcs.exe 15->22         started        signatures8 process9 signatures10 67 Modifies the context of a thread in another process (thread injection) 19->67 69 Maps a DLL or memory area into another process 19->69 71 Sample uses process hollowing technique 19->71 24 explorer.exe 19->24 injected 73 Tries to detect virtualization through RDTSC time measurements 22->73 75 Queues an APC in another process (thread injection) 22->75 process11 dnsIp12 45 www.fex-tracks.com 162.0.231.94, 49739, 80 NAMECHEAP-NETUS Canada 24->45 47 www.newsflixes.com 24->47 49 2 other IPs or domains 24->49 77 System process connects to network (likely due to code injection or exploit) 24->77 28 cmd.exe 24->28         started        31 cscript.exe 24->31         started        33 autochk.exe 24->33         started        signatures13 process14 signatures15 79 Modifies the context of a thread in another process (thread injection) 28->79 81 Maps a DLL or memory area into another process 28->81 83 Tries to detect virtualization through RDTSC time measurements 28->83 35 cmd.exe 1 28->35         started        process16 process17 37 conhost.exe 35->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 14:07:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dlhu6zg3zzdoobktjfgpakkzmncsqr3qm3ghg3r7jhptxnrfherq._file
Verdict:
malicious
Similar samples:
0112bdb90e11eb117a1066b44657e7afba86f5a6155da9c12e25c346a34b36ca
Formbook
10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2
Formbook
2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea
Formbook
37e7b7329552ca9f6ab3233ebe1d8ab96c4385b941b31a21ea43c4c2b85fca61
Formbook
6eb767d15a657e7d39c9534bbd4b24bcc9fb7d72b100b5456ac975a002ef93a9
Formbook
86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26
Formbook
8bc57dbd7aa1c3ac5b3e4f743eb616b93aec9bae6975ccdaa9ad596ada32275b
Formbook
9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8
Formbook
d2d355ef39f411f81c87e1c3e6feef02a0dccacf3cc37aa583e97ab9403e2ee8
Formbook
fc1fbab23528029108a690e17c533f4c5de405b84159d95ef976bbae3fbead7e
Formbook
+ 251 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200811-mrw7cd2ztj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fex-tracks.com/hx232/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 333bc85165dd0b1eefe8e23005495b53585b4680908143f84479a4e7165b2b3d

Formbook

Executable exe 1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923

(this sample)

  
Dropped by
MD5 6a2f7599e257eb455e820aa917585710
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43484/
  
Dropped by
SHA256 333bc85165dd0b1eefe8e23005495b53585b4680908143f84479a4e7165b2b3d

Comments