MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03
SHA3-384 hash: 26ba0f04381f8e17fc2e399381b4305af52a03ceb58c815893b3185c72ddd28604407d3a0ea89830b273637c9761bfd6
SHA1 hash: 4b9f4e1aeca94984f57767be2d8c32d62b8907c6
MD5 hash: ea9dac7924879bf7102464b3095e81bc
humanhash: arkansas-wolfram-zulu-seven
File name:jsc_PI.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:697'856 bytes
First seen:2021-06-30 11:09:36 UTC
Last seen:2021-06-30 13:49:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:P4W2vwGBbX5Tyg1Ve6d31WrYQtULq/7nrTvDBzjq6a:P4W2vbX+6d38rYQtxjrxzj
Threatray 6'057 similar samples on MalwareBazaar
TLSH 0CE47D311BA95A36E0BA9FBDD5A1208197FDF6236F03D85C78B511C50712E83C9F262E
Reporter DFNCERT
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
3
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
jsc_PI.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-30 10:52:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7f18ccc-8197-4697-ae1f-b184f0963583

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.899.10301.28406.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10f8e9ee-7379-4284-86a3-2d1b2f4866b0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809897
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 09:05:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dpfth3wt3qvcd65alkcka3ld2iytys3j4dvw3nxhqh72pj3tfmbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
38aca7d4c7a084ef1da611f17f38c78e6f13cdee6f586c3e672b20addc6dbed1
Formbook
3be580a28c970cf3ec0a48d5de174b94339eafbf1521d8047687ebf00a36058a
Formbook
3cec9bd714745b020366af9537184c619794ef4dee36c99093f53b243c97dcc1
Formbook
735d11c1fa476083846e9e622af57a902ff20be1a1bbce7d8ec9f7f4179d1bb3
Formbook
7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
Formbook
8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
cbd8d7c3cf92798b8306074a078a94b84cb49a0db60eafc22d277231a23d7fda
Formbook
e1fee7ee20f6d3bd6e913baeae737c558014454223d552c125c3f963e7c1a843
Formbook
+ 6'047 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210630-yg8jjxplla/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.kalptarucentrino.com/owws/
Unpacked files
SH256 hash:
e1d7326180a824acdf35dbd16cbd2046d51363b4a5676aaab0c6f08a05c2f946
MD5 hash:
6049060d76baafa23b8b0afc17b8792a
SHA1 hash:
969734dcff15739eca656c2f8a3f567ddf4ed28a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5963a48c-da8b-46ca-a01b-293deb5158d5/
Parent samples :
1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03
0e3ed29a7b0e14ac4eb4f2d85b24e63bbb08e8990a048db3846aa509da72955d
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/5963a48c-da8b-46ca-a01b-293deb5158d5/
SH256 hash:
189da08e18dff70bc94710963ac9785c05a46b4cffd851f73e61cdc410522f95
MD5 hash:
b1de01a255689304a03773dc324b0197
SHA1 hash:
2aaeda36efb57594d66dcc1015c57cb7f504379b
Link:
https://www.unpac.me/results/5963a48c-da8b-46ca-a01b-293deb5158d5/
SH256 hash:
1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03
MD5 hash:
ea9dac7924879bf7102464b3095e81bc
SHA1 hash:
4b9f4e1aeca94984f57767be2d8c32d62b8907c6
Link:
https://www.unpac.me/results/5963a48c-da8b-46ca-a01b-293deb5158d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 923cee65b6864e983a89554726ee733823b721f6e98d59c27491e3c76ea4efff

Formbook

Executable exe 1bcb33eed3dc2a21fba05a84a06d63d2313c4b69e0eb6db6e781ffa7a7732b03

(this sample)

  
Dropped by
MD5 281d0fb65aaf7ac9588f359d53928d0a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 923cee65b6864e983a89554726ee733823b721f6e98d59c27491e3c76ea4efff

Comments