MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 15 File information Comments

SHA256 hash:	1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16
SHA3-384 hash:	eb460edcb5419bfd36d785c92f3566755a9293c9a01caf798e9a06286b51d5625633640d134253dbebc5edc903df01c1
SHA1 hash:	148f131684dc58e044f319f03d4b18f17b3ce592
MD5 hash:	2009622d584babb952a3347a408c6f39
humanhash:	carolina-oranges-oregon-table
File name:	Quotation-3927377773.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'134'446 bytes
First seen:	2024-01-11 02:10:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep	24576:yTbBv5rU/xYCVBDRPbdnBldBv++3SBGa6mXcqIAXiAQFSDU:UBmYCVZRzdnBlT24LAXiAVA
Threatray	2'607 similar samples on MalwareBazaar
TLSH	T1FD351202BAC298B2C4724E325D75A711ED797D206B65CFCF67C00A29EAE24C1D731FA5
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	f6e682b2b2542c2c (2 x XWorm, 1 x AveMariaRAT, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

325

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/470268/

Detection(s):

Win.Malware.Lisk-10008719-0

Win.Malware.Lisk-10008720-0

Win.Dropper.Nanocore-10010324-0

Win.Malware.Autoit-10012969-0

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a UDP request

Creating a file

Enabling the 'hidden' option for files in the %temp% directory

Adding an access-denied ACE

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm autoit control greyware installer keylogger lolbin lolbin overlay packed replace setupapi sfx shdocvw shell32 wscript

Link:

https://www.filescan.io/uploads/659f4e3a3c61cd5b424e9a40/reports/20f7191a-d63a-40c2-911a-86cea9a43676/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf1eb612-6702-4c6f-8761-4374ad0102d1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1372785

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Creates autostart registry keys with suspicious values (likely registry only malware)

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16/

Threat name:

Win32.Trojan.Lisk

Status:

Malicious

First seen:

2024-01-10 11:52:29 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 37 (43.24%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dn6ct3b3rnpg2lxtknntngik23pmnqwnfaalwi3xc6lfwi6krila._file

Verdict:

malicious

Label(s):

formbook

Formbook

9932a993d99136f37df22dd144438e8dfe94bc17b0de0b4da258c64cc401e229

Formbook

b5fbb6b68bdfdce41639d893cc56d10024e4cc251d9bb867cd25e68c5eb5b3e3

Formbook

c7c1f9e094890a135131fea3083df258c2d7c6375aab3061fdf0b1e5b9c3ba66

Formbook

cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f

Formbook

e6032f19912376cf1309dd2586a98236bae532e2e0f50be16d13d515727d0196

Formbook

f2654977c1d40ceaf88ac1ec3ec51e5ffd603cc80a58c1a0e2b8c7c6bb5a8bf9

Formbook

+ 2'597 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240111-cl9wdsdec9/

Behaviour

Gathers network information

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Unpacked files

SH256 hash:

1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16

MD5 hash:

2009622d584babb952a3347a408c6f39

SHA1 hash:

148f131684dc58e044f319f03d4b18f17b3ce592

Link:

https://www.unpac.me/results/ab1e88e9-faad-44f9-b476-d5226d4e0094/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1b7c29ec3b8b5e6d2ef3535b36990ad6dec6c2cd2800bb237717965b23ca8a16

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/470268/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample