MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff
SHA3-384 hash: 41085a9930d7926f4e497c66997a6c8f62cc6911df394ce4330868b113d61331060458f5a3a5ea81eda3d7a9197aebe8
SHA1 hash: f37e92ccd5da52ce116a3c1837237d580d92caa7
MD5 hash: 95fcde9e18cf70ccba4b2323df3f7022
humanhash: delaware-kentucky-purple-paris
File name:Product Qr.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:790'016 bytes
First seen:2021-10-25 05:01:54 UTC
Last seen:2021-10-25 06:09:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Mz+7y3JTLqJFTPqWzzMSjH+G6tqn0xNZtZk2baDMAsDeKhW3W:C+sTLqJzM48LxNHZWDMAsDQG
Threatray 10'867 similar samples on MalwareBazaar
TLSH T13EF47B3E2106DE4AEABA2FB8105015F41FE16CE79E2DC5197DE97C89E3B3981CD22570
File icon (PE):PE icon
dhash icon 27d0d8d4d4d8f006 (1 x Formbook, 1 x Loki, 1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199709/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.20279.UNOFFICIAL
Create hunting rule

Win.Trojan.Zusy-6985095-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60dddadf-4431-4891-b783-9ea581bb8764
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/875935
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 01:26:06 UTC
AV detection:
19 of 44 (43.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqn5cepinkno42yp62faveukpktoc253qnw7oowpojyobgdir37q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
05c721de03dbe651feaf7322045cbfe600ce28e68e0497bec94c927ccc4d6a86
Formbook
3a6ec75b656e165939ee0d1f985678cb1799151e33449bba28c6a830ead01e3a
Formbook
4fa4620f075ed6875b96da8c661287fc12c586ddc524c866a6861a6a94a26bee
Formbook
8943af6c4da94f93c169ef98a7b8393ca92b01753e89ea5503d5740bcc45296d
Formbook
96c65dbeb55d5794541c9132447e41735610c1948b78c138d796e9db8528dd87
Formbook
98f8f84dbf9e3a4462066c94e447ba3bdc6bc3d0119511e8c6d6cea0234f885c
Formbook
ac8abd21ec11d62b86a0afe3c1ef2b250d4439cde34f46529968a77eb8bc0800
Formbook
c288fba4b7716faf5562f4608d8ad0c1755ae059ba3d69569b60cf38a5f6f695
Formbook
d66268222a39fd97e792983a3bacdb1e81067b7a28848a87fe65a5dc91f7e82a
Formbook
f1d0b0bb1e438e5dfe53cda279dd4d1f07b18ac172ce39c4eb5fcfaf8ccedb89
Formbook
+ 10'857 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ubdu rat spyware stealer trojan
Link:
https://tria.ge/reports/211025-fn5agafeg8/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.firsttracksdigital.com/ubdu/
Unpacked files
SH256 hash:
b7b4b3946d34419615b139b7a2a7b6771e12893953cad239de91ee4834a94cd7
MD5 hash:
149ad21a33b67529151ce1649cbd0ff7
SHA1 hash:
a835cef01e6464d6496478834ca3c58b9a96896d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/04e5648f-c20b-41df-a197-5edca1632c62/
Parent samples :
96c65dbeb55d5794541c9132447e41735610c1948b78c138d796e9db8528dd87
1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/04e5648f-c20b-41df-a197-5edca1632c62/
SH256 hash:
68029eb2e42358ff501eebad90049cc83a3036f49df5e1819fd69189d3ea8e25
MD5 hash:
f01cfac7c8c9fd4d190add8f2628c451
SHA1 hash:
36cd5de0fd9e19caeb4ba8ff19b25ef696cbc8f4
Link:
https://www.unpac.me/results/04e5648f-c20b-41df-a197-5edca1632c62/
SH256 hash:
1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff
MD5 hash:
95fcde9e18cf70ccba4b2323df3f7022
SHA1 hash:
f37e92ccd5da52ce116a3c1837237d580d92caa7
Link:
https://www.unpac.me/results/04e5648f-c20b-41df-a197-5edca1632c62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1c1bd111e86a9aee6b0ff68a0a928a7aa6e16bbb836df73acf7270e098688eff

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/199709/

Comments