MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474
SHA3-384 hash: a4c0ee3007bedf9b62fd1cc2480e7773edc7ff2dbfc56acf113c1e2dd28d654f2aca23ea7498d6f6f2b5af6d36821f0d
SHA1 hash: 3d282d189f9b1920de79e4dd0aa36cc280f6b53e
MD5 hash: a4c6ea4179cc3e52033866c2e100aa83
humanhash: violet-kitten-grey-bakerloo
File name:ijeonyi.com
Download: download sample
Signature FormBook
Create hunting rule
File size:2'871'701 bytes
First seen:2021-04-19 18:39:46 UTC
Last seen:2021-04-19 19:52:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 49152:BzdHVojfTtpn1PalNCaZzy1qN5U5tYQJ+/FFlS/x33od4O6cd:BzWtZ1PUzRy1s/PC33fncd
Threatray 2'365 similar samples on MalwareBazaar
TLSH 93D501A718BEB7C3D4795D32A8933068FB909503452734BBBA4D632B05B2DD812F9739
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ijeonyi.com
Verdict:
Malicious activity
Analysis date:
2021-04-18 23:39:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/496fdf17-1489-403f-808a-4773a6d60f34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/138721/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.860602.10371.26882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/687579
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 392740 Sample: ijeonyi.com Startdate: 19/04/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 6 other signatures 2->55 10 ijeonyi.exe 22 2->10         started        process3 dnsIp4 47 192.168.2.1 unknown unknown 10->47 37 C:\Users\user\AppData\Roaming\...\libtag9.dll, PE32 10->37 dropped 39 C:\Users\user\...\FMPlayerLauncher.exe, PE32 10->39 dropped 41 C:\Users\user\...\qtposition_winrt.dll, PE32 10->41 dropped 43 6 other files (none is malicious) 10->43 dropped 14 FMPlayerLauncher.exe 10->14         started        file5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 2 other signatures 14->75 17 explorer.exe 14->17 injected process8 dnsIp9 45 www.meenaveen.com 17->45 57 System process connects to network (likely due to code injection or exploit) 17->57 21 control.exe 1 18 17->21         started        signatures10 process11 file12 31 C:\Users\user\AppData\...\886logrv.ini, data 21->31 dropped 33 C:\Users\user\AppData\...\886logri.ini, data 21->33 dropped 59 Detected FormBook malware 21->59 61 Creates an undocumented autostart registry key 21->61 63 Tries to steal Mail credentials (via file access) 21->63 65 4 other signatures 21->65 25 cmd.exe 2 21->25         started        signatures13 process14 file15 35 C:\Users\user\AppData\Local\Temp\DB1, SQLite 25->35 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 25->67 29 conhost.exe 25->29         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dovnixgbdh7pagvausga5kbknxaqym3f2reyjvipstzfqzqggr2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02c3598e5f583ac0f0aa5d5c666095d1ab1cd02ebf8d23ad7db61f00da7b793a
FormBook
05c3b01f3f582815a9a5c99845273306a23302342adf5215c7fb817e963cc4e0
FormBook
09f19a43e9a0b736e9fcd33359267340b91a2ccc376c8cda72fac9754c1493c0
FormBook
2080ae2cfe843c0e1754f994b356086718dd6dceedf974ca37b629fb4da817a6
FormBook
290963ddb0862d90575e418931ac2cfacfbb79146f5846771e81046298bf75e8
FormBook
41c87199c61ff26a9f486e5bc9b6bfd010b4c112922bad655599f9a06e2c0ffc
FormBook
5fb8b22a773eb50d70b1f58a72dd7903aa7162b40b64326c0a9985027943e083
FormBook
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
FormBook
720ffc99aa96c665aae27db46f776476c37ca113db207790579adfd81c73ad05
FormBook
98820c48f104e5644529c8e9b012e7c2de6aca35aca322b342ccd23aefdedc96
FormBook
+ 2'355 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210419-cklfhp3pj6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.hollandhousedesigns.design/vns/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474

File information

The table below shows additional information about this malware sample such as delivery method and external references.

70ad0c658ef3c95f389896a3cedb54f1855a7f2c5afafbfbf974bf8ae500b586

FormBook

Executable exe 1baad45cc119fef01aa0a48c0ea82a6dc10c3365d44984d50f94f25866063474

(this sample)

  
Dropped by
MD5 5ca3d81ccdb1e0f1fde38635661b4406
  
Dropped by
SHA256 70ad0c658ef3c95f389896a3cedb54f1855a7f2c5afafbfbf974bf8ae500b586
  
Dropped by
FormBook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/138721/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-19 19:05:10 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process