MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c0a9932691bf32df8984001737918766563dfaee3784470307dcd103ac702f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c0a9932691bf32df8984001737918766563dfaee3784470307dcd103ac702f8
SHA3-384 hash: 40e1cbad321063452180406ccbc154340c909ad03446e2bcc854a43a790db19762429247eea2aab57f85823daa54e894
SHA1 hash: 632e5ce55d2482e2fe9735c771cd5902165e6120
MD5 hash: ed18fff39b26307348c7b706bd88cb13
humanhash: carolina-finch-table-nebraska
File name:ORDER0429.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:517'120 bytes
First seen:2021-06-03 05:47:59 UTC
Last seen:2021-06-03 06:54:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6349db18596ebf564d02723a6dfdc378 (4 x Formbook)
ssdeep 12288:lbXMSaoxxGRsUWMlagE7Y/Tt3GHsppuoz:iS1x07WMJE4tWHs7
Threatray 1'796 similar samples on MalwareBazaar
TLSH A2B402123513CCB5FA360E72DC94CE72961EBC719274C86B72C49ED989B28C8BC255BD
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER0429.exe
Verdict:
Malicious activity
Analysis date:
2021-06-03 05:49:35 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b1a1e293-820e-45fd-a148-be4653546721

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164263/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796429
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2c0a9932691bf32df8984001737918766563dfaee3784470307dcd103ac702f8/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 05:48:10 UTC
AV detection:
23 of 47 (48.94%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqfjsmtjdpzs36eyiaaxg6iyozswhx5o4n4ei4bqpxgraowhal4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
27779a2144bbdf6e45d625b507098a3655a43c47a372297e5803ec23505c53a4
Formbook
3633d227baf99bc509e48702b3c68e43a02e0701ba23bfbcd77e9d2f08d1dd2f
Formbook
4f37ee18d84c7246b9a20900906797c3ec3fbc684f61a23c750b9ec444638a63
Formbook
6aca638f8c9405c4c02bb3f2b5f5e5bc9d5596f8c68a57fb99347031415b584b
Formbook
9c9dfbf8c44bbe594498ebf93efd84fcf73d66d9c6d5b86e9979afe5e9e9330c
Formbook
c1bc3faf41973dd786aaf9e0ebd132f6c9d1e5a15931325fc3288cecfe81e3c9
Formbook
c3eabd57f3b36a3ae575509b4453872ad7f3313688d7d00432f967067486fbeb
Formbook
cccbd0b2d46adeb6d99413af4d5a4492cd530922a09724f04c8fb1e0c47d8326
Formbook
d0a9b26d679362f6fc67a091c445ac8344a70d16eb3219ace55cca8f4132ee43
Formbook
d7a09c129dfa6df78f94a517a08da22db5510621dca52f9f1a03ed436a08064c
Formbook
+ 1'786 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210603-ff5gyqh32j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.haulatob.com/frf/
Unpacked files
SH256 hash:
edca5c63d8a4720b12b522a783e81a105df5629098c585b65ad6a04e9ca0a765
MD5 hash:
7011b7588983c26a58e12fd2392b9104
SHA1 hash:
77649c94ea5c854bd158ee297c15c6ff2128e9bc
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/ad8908be-11ac-47e7-a11e-2c1576203795/
SH256 hash:
2c0a9932691bf32df8984001737918766563dfaee3784470307dcd103ac702f8
MD5 hash:
ed18fff39b26307348c7b706bd88cb13
SHA1 hash:
632e5ce55d2482e2fe9735c771cd5902165e6120
Link:
https://www.unpac.me/results/ad8908be-11ac-47e7-a11e-2c1576203795/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c0a9932691bf32df8984001737918766563dfaee3784470307dcd103ac702f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 2c0a9932691bf32df8984001737918766563dfaee3784470307dcd103ac702f8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164263/

Comments