MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c
SHA3-384 hash:	cac903525ac7ad2117ef30b433135975dadc3dc150a0d5a48c53cadefee6489cf6c6c4f5363ab6dee04da9614986d564
SHA1 hash:	49d23c8eac05f7c8af203f0b46f7d805fc4b1724
MD5 hash:	da9914f2f681c7ef59293d3804c9133d
humanhash:	speaker-spring-crazy-floor
File name:	Teklif Isteme Formu.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	219'587 bytes
First seen:	2022-10-24 12:47:54 UTC
Last seen:	2022-10-24 14:17:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	6144:qweEpobsxm+SEfyjP4P3yYZcfrFPWHFjp:bowkAwfrFPWH
TLSH	T1A32412336AD2887BF9C740B19AB5ABA6E2B77C501371530F57B02F7E9C36289480D1D6
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	lowmal3
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Teklif Isteme Formu.exe

Verdict:

Malicious activity

Analysis date:

2022-10-24 12:49:33 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/9a0305a9-4bbc-4e47-8e4e-2ff98ceb3ea1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/323419/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.560.26995.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for the window

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Searching for synchronization primitives

DNS request

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0245eca2-6f8b-4480-a13e-b87aaf635907

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1096530

Signature

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c/

Threat name:

Win32.Trojan.GenericML

Status:

Malicious

First seen:

2022-10-24 13:59:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpf7dxhgpag37mnrvuoyn4s5jn5fabr34w2gid4jheeftage4aga._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:et02 rat spyware stealer trojan

Link:

https://tria.ge/reports/221024-p1r1cageh6/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook payload

Formbook

Unpacked files

SH256 hash:

4119ded25b9d01e546ee42d7a45082c2504ea991f6eccb7c74427a9321c1fb5a

MD5 hash:

74b9bd019c741c26889aa89a6a2d6456

SHA1 hash:

a9e8ebbd7a8fbd51aed0fc08a50f11bb91b5b644

Detections:

FormBook

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/ed49f530-f361-4a25-9b5a-485fc166d332/

Parent samples :

5b2bee7d89137e5b5c3eae900446b022c482a5ecd56ede64214ec95498c0f35e
13f17498233c027b2634373a0bd1f1978748102b7cfb798ef52d34c48b92661c
3a48a55ee6f9ace1e0b8042458f9d16deb6ff58970873c2e9f063c60f6821127
dc3f7072eb60a4282bd3f6e8fa600c17a9c9f8ade539111bcadcab024a186455
5ab3c03297b5f627ff9ae8b6234c9789c03ba6e497d2bb9672272662a184a328
1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c
9469fcaa1fdedbca5dea10fbc8908e549bd80111eebeb817b1f74d6355fdff66
1e1725100ca63de1addb3e668dbbef572a683beb2bf3c1648181ec1cc3479cf5

SH256 hash:

bc74795639b62eb7a3958ad888e682031fa055f610db1739e51efa057adbf308

MD5 hash:

c20ebe6762bf3ff431b6db1e4fa70a95

SHA1 hash:

85bbc70e270515b53c26966a720249b4559b9835

Link:

https://www.unpac.me/results/ed49f530-f361-4a25-9b5a-485fc166d332/

SH256 hash:

1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c

MD5 hash:

da9914f2f681c7ef59293d3804c9133d

SHA1 hash:

49d23c8eac05f7c8af203f0b46f7d805fc4b1724

Link:

https://www.unpac.me/results/ed49f530-f361-4a25-9b5a-485fc166d332/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/323419/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample