MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cb687fb145088863a9deb90dfac801c8d7bc03ea4938fcb8d800dca658b69e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cb687fb145088863a9deb90dfac801c8d7bc03ea4938fcb8d800dca658b69e1
SHA3-384 hash: 25790c7db05e164a6a6ed732718233e232509e94999b44f943c50045ad51be7225a3453a53dd38d4357bc68669dbad19
SHA1 hash: b050e73538a7c8a783b164c40bb4b42eff825236
MD5 hash: 1c3075ea6370094c1f0b08c0e67fac63
humanhash: nineteen-diet-lithium-paris
File name:9046- PA118- SUPPLY & INSTALLATION OF EQUIPMENTS OILFIELD EQUIPMENTS & SUPPLY - REQUEST FOR QUOTATION.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:926'720 bytes
First seen:2021-04-20 06:19:35 UTC
Last seen:2021-04-20 07:13:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:QcdIWmw+MJ5VEzeYSs13IsRRRRRGlzWh0appFFFpppppppFFFFFFpFpFFpppppFw:xhoMJDEzG21RRRRRGlzWh0appFFFpppJ
Threatray 4'772 similar samples on MalwareBazaar
TLSH 0C155B5C721475DEDA6BD2758BA85C54EB503C7B434B820BE02731BAA97C883DF160FA
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8ab290b9-f087-4e5b-8115-a953616bf159
Verdict:
Suspicious activity
Analysis date:
2021-04-20 06:37:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40ca6e83-d16b-4002-be20-15c233d07209

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.671.16425.30779.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/688328
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 393111 Sample: TION.pdf.exe Startdate: 20/04/2021 Architecture: WINDOWS Score: 100 31 www.katsworlds.com 2->31 33 www.hibiscushealthcare.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 8 other signatures 2->49 11 TION.pdf.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\TION.pdf.exe.log, ASCII 11->29 dropped 59 Writes to foreign memory regions 11->59 61 Allocates memory in foreign processes 11->61 63 Injects a PE file into a foreign processes 11->63 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 fand-sodan.com 133.242.249.176, 49763, 80 SAKURA-ASAKURAInternetIncJP Japan 18->37 39 www.myglowskins.com 109.68.33.25, 49765, 80 GD-EMEA-DC-LD5GB United Kingdom 18->39 41 17 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cb687fb145088863a9deb90dfac801c8d7bc03ea4938fcb8d800dca658b69e1/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ds3ip6yukceimou55oin7leadsgxxqb6usjy7s4nqag4uzmlnhqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04df6344497e9d1c321f32b61df87db549d179c6c66c3bf0b2cc7f6b1510040d
Formbook
34066150ffa7efa505b8d2246925cd8a32f83b9609438ae76aa27cef7388054d
Formbook
4d8a482a05fd92a0186ad2c0f3e77a86740f5c5c7850de4f5ed93e03ed640026
Formbook
5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Formbook
84e98f3890f5726bce09f463487b93b93de8edff0ba96fb07e06631422ab71d0
Formbook
86bca4941a28d08e94135a0bacc303f03cfd9b2f67e8979df496ba2e9d6ac93e
Formbook
ad855c55e13ef5274a20805a3836b508c29cae12d0a2de2807aed08ed4090ddd
Formbook
c58abe9cc2eda9f80841417a5e8dd7c75416cf0183a6fda6b616a2c312450ab5
Formbook
cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Formbook
e1339c4548f73e4f250fed46d56bbce84491ca122aed7527731bb8d72df83e11
Formbook
+ 4'762 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210420-v7ar26hq76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.huamxvcyq.icu/aepn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cb687fb145088863a9deb90dfac801c8d7bc03ea4938fcb8d800dca658b69e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 17df69c1e0d9a5228e6583dea7a5659faa82b3a55f32c4338d80954b8e77d3bf

Formbook

Executable exe 1cb687fb145088863a9deb90dfac801c8d7bc03ea4938fcb8d800dca658b69e1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 17df69c1e0d9a5228e6583dea7a5659faa82b3a55f32c4338d80954b8e77d3bf

Comments