MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717
SHA3-384 hash: e155985c2c3e555accf83b8169656ba1915f627ee31ef48aaa69ad91088a0e3840a00767bd7a60218b0c82a8ec54028f
SHA1 hash: caaea4dba262c6f133184d2ff63e3952df338aa1
MD5 hash: aa5bec3fc7d67dff5a8f52483dc8b57c
humanhash: spaghetti-fix-fanta-robin
File name:TT Copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:247'153 bytes
First seen:2022-03-28 01:31:11 UTC
Last seen:2022-03-28 02:44:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGilkYiV5INf/5IC9iVVnYDKSpieBXTx/pEQZRE5iR:hkKaCsVVnYDiepTJC6RD
Threatray 14'408 similar samples on MalwareBazaar
TLSH T1BD342227BBC06F7BD969283303728376F77DC604D1C2990787505E9E3B7A19721062B6
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258290/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.1798.31330.26442.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624110129253b276b78a2c0c/reports/3014e112-eda5-485e-884d-1854f23f5e1b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94307076-5033-4481-a677-61cb5cadbd26
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965441
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597922 Sample: TT Copy.exe Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 TT Copy.exe 18 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\lupgksq.exe, PE32 11->31 dropped 14 lupgksq.exe 11->14         started        process5 signatures6 55 Multi AV Scanner detection for dropped file 14->55 57 Tries to detect virtualization through RDTSC time measurements 14->57 17 lupgksq.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Sample uses process hollowing technique 17->37 39 Queues an APC in another process (thread injection) 17->39 20 explorer.exe 17->20 injected process9 process10 22 wlanext.exe 20->22         started        signatures11 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        27 explorer.exe 2 151 22->27         started        process12 process13 29 conhost.exe 25->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 01:32:08 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwlqtjb2k3wxngxokb6njoirnsr5olmtvbwwclajqt3kwn24c4lq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2573cb8f9979fab9ae06951ba1e3c96d7c49f2672369dd6ecf77fde42a0d45eb
Formbook
452d42cbe3b01ab9afd5799a25d153b0f427a383b97c28d4bf4e1830c501ab8c
Formbook
5297d79e8c5477e872646905da36e71b4a40f9d801f34b6e4521932981f1e9c7
Formbook
5f9025473092996ecde530a0e8858fe256baec511bd44c61d8bba0fa3bd22f85
Formbook
8c7c6966c40ca10cdb43c9520c24ae932e63429fbc858b2c05f94f1bedbe0efa
Formbook
aa24408c59f3871294cf379b2b0bc57932ae884229102d005759b1cabb3dbbd9
Formbook
+ 14'398 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:an52 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220328-bxyf3abggn/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
0fdd4283e22c1c83811ac3b7d35a76259663c58303bdeb94c02b8ad85cd100d2
MD5 hash:
546018d5b5f03853ec8f71b64d4a240a
SHA1 hash:
606f3a0cd50f201e573f86e6f81db306826679bb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7c889d8-32d8-4cbd-ab42-f746fed9aee7/
Parent samples :
5297d79e8c5477e872646905da36e71b4a40f9d801f34b6e4521932981f1e9c7
1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717
1390664c93e9f404d761155beeef7ef756857d108a100b72d1ab14766a1a1e1b
402b63c8c33dd311c5b62edba93c1ffc5964c15faa5ad2de35bbe40d26e3bd0a
SH256 hash:
04c4114cbf386e863c719ba69a272209f99732dbc12156d537ab470f3c3a6ed3
MD5 hash:
4c0e87a379092e85ba7177d4f40c9459
SHA1 hash:
bd9b5de72578ddb9db24f56cc0ecc2cac1c40c5d
Link:
https://www.unpac.me/results/d7c889d8-32d8-4cbd-ab42-f746fed9aee7/
SH256 hash:
1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717
MD5 hash:
aa5bec3fc7d67dff5a8f52483dc8b57c
SHA1 hash:
caaea4dba262c6f133184d2ff63e3952df338aa1
Link:
https://www.unpac.me/results/d7c889d8-32d8-4cbd-ab42-f746fed9aee7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 1d9709a43a56ed769aee507cd4b9116ca3d72d93a86d612c0984f6ab375c1717

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/258290/

Comments