MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4
SHA3-384 hash:	468b4ffb1b8cf42a15092ec643e10c6d6bb1b080b0be6c3f6a091048c78e6eb7c539f899a171f715f13224b682db2609
SHA1 hash:	b2dbea5c5ac64f8d317d2a982df4965e8018d148
MD5 hash:	6d7441568080cf1380f3fda5e53308a0
humanhash:	twelve-kansas-leopard-william
File name:	SecuriteInfo.com.Trojan.Loader.839.23961.27176
Download:	download sample
Signature	Formbook Create hunting rule
File size:	247'014 bytes
First seen:	2021-06-18 06:47:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:3BlL/3VDGZyKIX6SEL2tk2pzddpApRU1appyBX7pfX:xNVDGg6qj2/ppyRB
Threatray	5'875 similar samples on MalwareBazaar
TLSH	F234121751F3DCDFC54362B11BB9A763C360FE20002E199F3B954FB9B9A20EA591A14B
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Loader.839.23961.27176

Verdict:

Malicious activity

Analysis date:

2021-06-18 06:54:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fcc54ee9-f74d-44a0-a379-09292a345513

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/166750/

Detection(s):

SecuriteInfo.com.Trojan.Loader.839.23961.27176.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/74c6c108-265a-4a50-bae2-4bfada7e50f1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/804162

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4/

Threat name:

Win32.Spyware.Noon

Status:

Malicious

First seen:

2021-06-18 05:49:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 46 (23.91%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dzxceqagqlxjvhwaf4luf6co7vcjpdfwylko62c5at3fb4maz62a._file

Verdict:

malicious

Label(s):

formbook

Formbook

72a002cd9cd49afe6f15c5dc2ad7e3f65471b21fd4331202183b87c7ebab7fe3

Formbook

74038c5bbdbded24e577d6c081d88febe59735546d902323a310e2e9d3f66677

Formbook

85c528083c96b1f895ddd73681a8b78caf639b8dcf91eca47ae4e7e7cd3e3540

Formbook

90d238a1c183586c60ffb6c1fb4786950483080240feca7fbf6d99ab98c64a6b

Formbook

a2e99d0aabd8f0ad83b885eccf313563526a58b2da435bf34dad29294c712efe

Formbook

d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138

Formbook

d4c16c1a6aff7397ae843c9be4450185d6d6ebe8e5fbc544a5b355fb41b2a49d

Formbook

d869fa27fd5d5a229609f218572f1625820cb8176ba6c1616714e40d4e6b7897

Formbook

dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512

Formbook

+ 5'865 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210618-r6bzja383a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.countrykirana.com/hvc/

Unpacked files

SH256 hash:

172df166af6703fc9a46905c385c2c77595b63d229692164d0ca7be25058c497

MD5 hash:

5a35b5cb0c2b256e8601d1037471d723

SHA1 hash:

dc985d9d479cec9d9f2ad146013bc235df49546a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/08ff0f70-bef1-45c3-b3a9-f251e2c54695/

Parent samples :

1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4
6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35

SH256 hash:

bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

MD5 hash:

56a321bd011112ec5d8a32b2f6fd3231

SHA1 hash:

df20e3a35a1636de64df5290ae5e4e7572447f78

Link:

https://www.unpac.me/results/08ff0f70-bef1-45c3-b3a9-f251e2c54695/

SH256 hash:

1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4

MD5 hash:

6d7441568080cf1380f3fda5e53308a0

SHA1 hash:

b2dbea5c5ac64f8d317d2a982df4965e8018d148

Link:

https://www.unpac.me/results/08ff0f70-bef1-45c3-b3a9-f251e2c54695/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166750/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample