MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051
SHA3-384 hash: 6bda82f64dbd691d7964f0d6763e5b3e5b094c39e6d1dd2b61b6e0e2c0a830f35a0cd225d53923715a9fbe04ba281cea
SHA1 hash: 5ac500d7d0a7d1fcc78d7f5687a45eeb24b30740
MD5 hash: 718a18aba605da53b39b412711ad10c6
humanhash: mango-table-cat-comet
File name:RFQPO#0010202020.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:572'928 bytes
First seen:2021-11-02 08:30:00 UTC
Last seen:2021-11-02 10:14:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:w9bJ9VBE06tTlxpMa7zhoTR9kZiykm5YA06V3e5xf:w9bJOTPpn7zhoTMZiykmCHL
Threatray 11'034 similar samples on MalwareBazaar
TLSH T1A0C4DF3820E45626CBEE93759D55C52813B15CAE6413EB0C4EF0FDE33AFE3A34A16856
File icon (PE):PE icon
dhash icon d0f4ccf2faaaead4 (10 x Loki, 9 x AgentTesla, 9 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQPO#0010202020.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 08:40:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/badc429a-dc79-4987-96d4-8bf947b3f8ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201355/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47300229.15364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6180f70f9982ff7c3f7a6800/reports/7abbe1f7-6a68-49d0-95dc-ad7a5add14f8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34520d88-37ef-49ef-8d76-721183811a19
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881079
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513510 Sample: RFQPO#0010202020.pdf.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 11 other signatures 2->44 10 RFQPO#0010202020.pdf.exe 3 2->10         started        process3 file4 30 C:\Users\...\RFQPO#0010202020.pdf.exe.log, ASCII 10->30 dropped 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 14 RFQPO#0010202020.pdf.exe 10->14         started        17 RFQPO#0010202020.pdf.exe 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected process8 dnsIp9 32 best1bitsuccess.com 160.16.111.153, 49850, 80 SAKURA-BSAKURAInternetIncJP Japan 19->32 34 www.heyworld.xyz 104.21.40.73, 49851, 80 CLOUDFLARENETUS United States 19->34 36 2 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 48 Performs DNS queries to domains with low reputation 19->48 23 explorer.exe 19->23         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 23->50 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 05:52:15 UTC
AV detection:
8 of 44 (18.18%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dsphbqbfmzyihllb3ema2hsbq4xc3js66trykstmofibs5sicbiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
32b793817b07a78490aa882218fb2880723c7ba23381545a2d7facfe0cacf4c1
Formbook
4cd1e6edc08c369a7e62542c25d5918fdfdc7d7729a078be8235604e20a60302
Formbook
4f99372e8c06a6ea2bbb9c6841626ea48ad62b8ee89f3ae853c0e0b1b48ef76c
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
616838e6dfff493e546f51436ee3c0bbe99d459c18abbbb71a6207555e9d73e6
Formbook
8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc
Formbook
a33cbeb94697eb2355ea92f44f065e52461adaf621ad548d066dc73d6d76eeb9
Formbook
a68cb3bf1d9d41e29fcf2e4391e827591e58783cea5a13fe95403fb6b3429b5d
Formbook
d6a8c5f4120e3be2e6d676d808dbdadc074f811398ac5b03878baba7275137d4
Formbook
fa5502396dc7ec0fc5508d901eb8b3e555558cdbaff338a1911db0edd4563b78
Formbook
+ 11'024 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g2rc rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211102-kd6g1ahagn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.naturigin.xyz/g2rc/
Unpacked files
SH256 hash:
a0e79eb21e1fcf38820c01bc02d965f87ad94db3d0c8eca2f3470a68b38f78bb
MD5 hash:
7502d4005011c8da7a0e1958c196423c
SHA1 hash:
ac38ea38c97db58fbdfeb7f85c99e89eae380f96
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/91d0452f-fac4-427b-bcda-9a19a7b8bc8c/
Parent samples :
1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051
dfe5b41bc1bd88c37ab8be5285c34f0f5dc2e168e94a9c4d8231879d5e8338f2
SH256 hash:
7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785
MD5 hash:
171a2669225911b41301096cd9dcf19f
SHA1 hash:
dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5
Link:
https://www.unpac.me/results/91d0452f-fac4-427b-bcda-9a19a7b8bc8c/
SH256 hash:
f82815cbcfbf95d781bdaba3b03236dd953de21bde63e3657f82ba461f7cb08f
MD5 hash:
7d9cd008a06e19cd3835384337fb74fa
SHA1 hash:
8920cad2b3d1db13185c42b75e7f973f2b0ba0c1
Link:
https://www.unpac.me/results/91d0452f-fac4-427b-bcda-9a19a7b8bc8c/
SH256 hash:
1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051
MD5 hash:
718a18aba605da53b39b412711ad10c6
SHA1 hash:
5ac500d7d0a7d1fcc78d7f5687a45eeb24b30740
Link:
https://www.unpac.me/results/91d0452f-fac4-427b-bcda-9a19a7b8bc8c/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1c9e70c02566/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/201355/

Comments