MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f
SHA3-384 hash: e7d9bee012db30500032087a3750111384674d8f16cf588e81cc97b80bfe15d952978716ca4fd694fa1da678fc0dc82d
SHA1 hash: 2f4f1bd54d32d49d4616d92db47d220a885462cb
MD5 hash: fa3c75c02aa09d4de7c6c60348250f20
humanhash: eleven-yellow-jig-pluto
File name:fa3c75c02aa09d4de7c6c60348250f20
Download: download sample
Signature Formbook
Create hunting rule
File size:890'368 bytes
First seen:2022-03-08 18:16:43 UTC
Last seen:2022-03-08 19:55:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:rrkybqDSutYIJ/TJZZtMDpmHqlXyB0plNNWf2Q8FT:cYS1Z3MgHqBfWfZ
Threatray 14'405 similar samples on MalwareBazaar
TLSH T19B15E05C7A50759FC417CD3789A01C64AB60A8BB430BE307A49326AD9E4E6DFCF251F2
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248456/
Detection(s):
SecuriteInfo.com.Variant.Bulz.580722.21727.5520.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62279da8b94fb38cb43fd5e8/reports/4e089180-edb8-4900-b2d4-716ef53b903c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1ac9f2a-eaf7-43d7-94d2-86ac51352c58
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952868
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585347 Sample: NDLl6Wlx8u Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 31 www.lazermakinaservis.com 2->31 33 www.aeonella.com 2->33 35 3 other IPs or domains 2->35 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 9 other signatures 2->43 11 NDLl6Wlx8u.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...29DLl6Wlx8u.exe.log, ASCII 11->29 dropped 53 Tries to detect virtualization through RDTSC time measurements 11->53 55 Injects a PE file into a foreign processes 11->55 15 NDLl6Wlx8u.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 process10 20 WWAHost.exe 18->20         started        23 autofmt.exe 18->23         started        signatures11 45 Self deletion via cmd delete 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 51 Tries to detect virtualization through RDTSC time measurements 20->51 25 cmd.exe 1 20->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 12:12:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d77b75875a9194d47cc35e0a00c6ae29215e585616a28b2519239ee6a6a8165
Formbook
1358d88e078f1c59b546256968179bf213928f1e6f4e7afa255681b2cd8f92a2
Formbook
3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6
Formbook
5ab3abbaaa772885b083fd8bd8d5855e8c6578c4a7cbaeef2cf68c1a3f4c1e11
Formbook
6ed4597153654e9526d066d62bbf7cc0e7d7e0660049f9e3b826475d3fa71abe
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
9b9e383f7635be680129b113ad1e827c61e2e2cf1ce7ccccd2f09b9a0a546494
Formbook
a6525de47e9c194acea3d0048b4633a9bb0f0bab0bfe2eb5e1ec3aa126909e32
Formbook
b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d
Formbook
+ 14'395 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:w26e rat spyware stealer trojan
Link:
https://tria.ge/reports/220308-ww2gjsacc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Unpacked files
SH256 hash:
f6acc7a3be7cd6ce48cb46b5eedc3ee00322f3b6b4b602751420e9f6fd13a77a
MD5 hash:
981369f1ffdbccbfc64768cb39c9c305
SHA1 hash:
b53ccfbbbf0a49fc81685b8204d7d9334031566d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d4de343-98a1-4846-8c4e-2b144ff755ac/
Parent samples :
b0b6191866c81bd822102f7f74d1df215f5f3a38552665d7e1e69628e7859f1d
a6525de47e9c194acea3d0048b4633a9bb0f0bab0bfe2eb5e1ec3aa126909e32
1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f
9621e6459dc138fb11bc279b6583fc68eed0db7b284e198c74dda8385db8ce0d
2c81b04d9509cf29e05309b84972fa9bf47b34bdf64032ade464fcc55a54a1b8
e4d0ebfd2e92b3848aa302ff71782e2bb7b55b1340f340c89e263e9d1a2a6987
SH256 hash:
112044fb81cbfa177caca75542f3385c0a30ba33b3cd197f21027eb1a6afc8fb
MD5 hash:
d90f89d8500775e8a8a86b06cf0f40a7
SHA1 hash:
9fa826826fbacf0db1c7cbb0051c46ea78d5e865
Link:
https://www.unpac.me/results/4d4de343-98a1-4846-8c4e-2b144ff755ac/
SH256 hash:
175285bfa8a73b3990f54994b8825c1f3396635bc344939cd8d9fc60b9569b46
MD5 hash:
f26eb90c6addfc99fa0c2e63896216d2
SHA1 hash:
77e01b96d8c211d4d24fc0a1aae91122caf5f668
Link:
https://www.unpac.me/results/4d4de343-98a1-4846-8c4e-2b144ff755ac/
SH256 hash:
914fb36dbacfd9e50ae7b92b32a728eaec8f6e7d25767e3ea487714ec81a9e4a
MD5 hash:
2fbce029525f2004edf57fc136d6a6cf
SHA1 hash:
43ef4a079e06ffc677ea4051cbdef1900f946238
Link:
https://www.unpac.me/results/4d4de343-98a1-4846-8c4e-2b144ff755ac/
SH256 hash:
1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f
MD5 hash:
fa3c75c02aa09d4de7c6c60348250f20
SHA1 hash:
2f4f1bd54d32d49d4616d92db47d220a885462cb
Link:
https://www.unpac.me/results/4d4de343-98a1-4846-8c4e-2b144ff755ac/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1c1c755e4827/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 1c1c755e4827a8d1918edff4c58f088ba57fdea5358ba3d627645836703a499f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2084647/
Cape
Cape
https://www.capesandbox.com/analysis/248456/

Comments


Avatar
zbet commented on 2022-03-08 18:16:45 UTC

url : hxxp://103.149.13.56/__protectcloudX/.svchost.exe