MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe
SHA3-384 hash: 6b5aa36aaef84dd9eb99e78cd73fb0bceace2b92988ee63bec4335ebbc02d38e447cf2c624a6d16bccc23d568b59e68e
SHA1 hash: 0c21f8d743d2b6a0dba29088380924a710aff950
MD5 hash: c3d0b6821a282cf6abf1ce85685c2d70
humanhash: kansas-network-quiet-six
File name:TransferReceipt.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:414'052 bytes
First seen:2020-10-19 07:29:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:pPCganNpy2x0G8wUEDVn59o3jtAtfdQQYCxQu6rvKXYaufsPXI1zN801wI6FZMY:nanDy+0GN5CQzGBmYauUP45+FMY
Threatray 4'021 similar samples on MalwareBazaar
TLSH CC9423822304C8D7D7664B315A798D7987F83A2E13093AE797D06E5FBC23A5B491E073
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: finalla_2
Sending IP: 104.225.140.16
From: Henry <henry.lee@seanman.com>
Subject: Incorrect Bank Details.
Attachment: TransferReceipt.zip (contains "TransferReceipt.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72797/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494830
Signature
Contain functionality to detect virtual machines
Hijacks the control flow in another process
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299866 Sample: TransferReceipt.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 5 other signatures 2->52 11 TransferReceipt.exe 2 44 2->11         started        process3 file4 32 C:\Users\user\AppData\Local\...\CoachPig.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\...\sbsmscorsec.dll, PE32 11->34 dropped 36 C:\Users\user\AppData\...\CMAccept.exe, PE32 11->36 dropped 38 8 other files (none is malicious) 11->38 dropped 70 Contain functionality to detect virtual machines 11->70 15 rundll32.exe 11->15         started        signatures5 process6 signatures7 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->72 74 Hijacks the control flow in another process 15->74 76 Maps a DLL or memory area into another process 15->76 18 cmd.exe 15->18         started        process8 signatures9 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->54 56 Modifies the context of a thread in another process (thread injection) 18->56 58 Maps a DLL or memory area into another process 18->58 60 3 other signatures 18->60 21 explorer.exe 18->21 injected process10 dnsIp11 40 getlawnbutler.com 34.102.136.180, 49744, 49745, 49746 GOOGLEUS United States 21->40 42 www.getlawnbutler.com 21->42 44 4 other IPs or domains 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 25 ipconfig.exe 21->25         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 01:55:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftam52rs4epguprfbf7zmkaqlka5mqnhgm7b4flhr6whs72opk7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a10c525b2f0a94e7e9facfa4685490e9a46d0d6a62be53f570fa845cd680c56
Formbook
414578aa9e1ab74c43ae636f64758a5a2dd59ab81619aa054de1fb6c9140f2e6
Formbook
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
Formbook
60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332
Formbook
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
Formbook
89bf15eae14f60d6acc308cead31f09459947626b9839bbbddbf76f00821fe3b
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
cfd29866a9e618985b15c779e0ac0ad8e09a9e997774c0d2fe18f00f8110a24a
Formbook
ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224
Formbook
f69e7749b6798b4c4f258eebbedc77992536cc24bef9d1bf3d68315ad16abcf0
Formbook
+ 4'011 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201019-454l6k2yze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.escapegoatclothing.com/c235/
Unpacked files
SH256 hash:
2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe
MD5 hash:
c3d0b6821a282cf6abf1ce85685c2d70
SHA1 hash:
0c21f8d743d2b6a0dba29088380924a710aff950
Link:
https://www.unpac.me/results/74b5e2b4-4731-4e66-9dbc-6d34f0eabd5c/
SH256 hash:
13355f2ec540b3f4532a19602522b29a3f338273a2a0a77db769c75f27139834
MD5 hash:
f610ebdb48b98511cc50b5b5e047354d
SHA1 hash:
4e496278de95745a52188bd5845d03879ef74c8a
Link:
https://www.unpac.me/results/74b5e2b4-4731-4e66-9dbc-6d34f0eabd5c/
SH256 hash:
c1e03d5a0f48df4849d7b41ba0bf4c6334f13dbff53de505f5e874d64810c69e
MD5 hash:
f76934bd7b4bcaee7256bbc31f95749c
SHA1 hash:
86139570ae40cec90333e4bbd6616be65b67547f
Link:
https://www.unpac.me/results/74b5e2b4-4731-4e66-9dbc-6d34f0eabd5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip ec9c5d5bf64477a4af561e89c4669f10c34e5bc2a0383d1bf0a57279f7b6a528

Formbook

Executable exe 2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe

(this sample)

  
Dropped by
MD5 944c748a65c60719622df8f194b9805c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ec9c5d5bf64477a4af561e89c4669f10c34e5bc2a0383d1bf0a57279f7b6a528
Cape
Cape
https://www.capesandbox.com/analysis/72797/

Comments