MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31e003a71876d261fd597e44ec871a6d4de654059a6dca3bd669c6dfa36a6767. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31e003a71876d261fd597e44ec871a6d4de654059a6dca3bd669c6dfa36a6767
SHA3-384 hash: bca09a77e7d34818e1ce4cf4e7a6d803ec839dc4073e14da5104d1cb9381fd6eedc2ce1b9fd3a4aa1a6b5f75a0e1e63f
SHA1 hash: cbbb3dd1a4986eff26601f2f6cd98742e135c4a7
MD5 hash: a3cc45f3e236e6466b74b18f654724c2
humanhash: oscar-mango-yankee-kansas
File name:a3cc45f3e236e6466b74b18f654724c2
Download: download sample
Signature Formbook
Create hunting rule
File size:281'088 bytes
First seen:2021-06-24 00:41:55 UTC
Last seen:2021-06-24 03:44:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:py5Bv4VO0xmdsyz76RdDjc1tSkJYaWm0qCshiamcnr7Az9q:g5l4I0UNz7qDjc1JWv8icr7Az9q
TLSH 8A545BDC766076DFC857C872DAA82C64EA60787B531B9203A01316EDEE0D997CF190F2
Reporter zbetcheckin
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.13212.21201.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eeeb2b33-65d1-4108-bd7a-293f5427d342
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807000
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439409 Sample: niKtG1TG4o Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 27 www.oliviablanca.com 2->27 29 oliviablanca.com 2->29 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 9 niKtG1TG4o.exe 3 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 C:\Users\user\AppData\...\niKtG1TG4o.exe.log, ASCII 9->25 dropped 55 Detected unpacking (changes PE section rights) 9->55 57 Injects code into the Windows Explorer (explorer.exe) 9->57 59 Writes to foreign memory regions 9->59 65 2 other signatures 9->65 16 explorer.exe 9->16         started        31 www.rgshh.com 45.199.89.208, 49730, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 13->31 33 usedcarsforsalecincinnati.com 128.136.151.30, 80 ASN-VINSUS United States 13->33 35 3 other IPs or domains 13->35 61 System process connects to network (likely due to code injection or exploit) 13->61 63 Uses ipconfig to lookup or modify the Windows network settings 13->63 19 ipconfig.exe 13->19         started        file6 signatures7 process8 signatures9 37 Modifies the context of a thread in another process (thread injection) 16->37 39 Maps a DLL or memory area into another process 16->39 41 Sample uses process hollowing technique 16->41 43 Queues an APC in another process (thread injection) 16->43 45 Tries to detect virtualization through RDTSC time measurements 19->45 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31e003a71876d261fd597e44ec871a6d4de654059a6dca3bd669c6dfa36a6767/
Threat name:
ByteCode-MSIL.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 11:12:11 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210624-26m384rwna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Core1 .NET packer
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.viciousbyjoey.com/rtht/
Unpacked files
SH256 hash:
31e003a71876d261fd597e44ec871a6d4de654059a6dca3bd669c6dfa36a6767
MD5 hash:
a3cc45f3e236e6466b74b18f654724c2
SHA1 hash:
cbbb3dd1a4986eff26601f2f6cd98742e135c4a7
Link:
https://www.unpac.me/results/9d00c519-d22f-4557-a02c-6a3241d226d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31e003a71876d261fd597e44ec871a6d4de654059a6dca3bd669c6dfa36a6767

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 31e003a71876d261fd597e44ec871a6d4de654059a6dca3bd669c6dfa36a6767

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393072/

Comments