MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23
SHA3-384 hash: d0d7985e950bdcd1a1855aeceb5b7fb91cf5a114bf2bae65924a9b76b69a71bb353ba6c7e7af83f2be5ad2cffee24ed0
SHA1 hash: 0cfd9f0d8355ac4785a1109c57213df620a1882f
MD5 hash: 77c021343fcf46caa2347820d775ee92
humanhash: wolfram-yankee-speaker-twenty
File name:Bank Transfer document.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:884'224 bytes
First seen:2021-09-02 08:20:45 UTC
Last seen:2021-09-02 11:24:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1407e2d87d7efca6bd106fef3862efae (3 x NetWire, 2 x Formbook, 2 x RemcosRAT)
ssdeep 12288:K1+UzwWLYx9/EISfjI3916W3WOsA0QLEkpwaGKqa/yf1pKQcj2VncY:+BfYx9tGjI39DmOs5KTGKqXf7cSc
Threatray 8'659 similar samples on MalwareBazaar
TLSH T1CC15AF3B96911133D1B721755C3EAB2C5C28AD212D64589ABFF9FD4C8E3B3987029B13
dhash icon 0f4cceadcc16694d (8 x RemcosRAT, 5 x NetWire, 5 x DBatLoader)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank Transfer document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-02 08:23:25 UTC
Tags:
trojan formbook stealer opendir
Link:
https://app.any.run/tasks/156bbd5c-9024-448b-84f8-c34c8cb0d693

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184708/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c727b305-818f-4567-ba86-b2acbf440706
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843879
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 476310 Sample: Bank Transfer document.exe Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 33 www.xusmods.com 2->33 35 clientconfig.passport.net 2->35 37 www.africanmusiccharts.com 2->37 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 6 other signatures 2->67 10 Bank Transfer document.exe 1 17 2->10         started        signatures3 process4 dnsIp5 47 www.kotadiainc.com 10->47 49 kotadiainc.com 103.50.162.146, 443, 49720, 49721 PUBLIC-DOMAIN-REGISTRYUS India 10->49 31 C:\Users\Public\Libraries\...\Qdysoqy.exe, PE32 10->31 dropped 79 Modifies the context of a thread in another process (thread injection) 10->79 81 Maps a DLL or memory area into another process 10->81 83 Sample uses process hollowing technique 10->83 85 Queues an APC in another process (thread injection) 10->85 15 explorer.exe 2 10->15 injected file6 signatures7 process8 dnsIp9 51 www.subusastry.com 199.34.228.79, 49748, 80 WEEBLYUS United States 15->51 53 www.xn--pckxbp6bzgv915dgbf.website 72.52.178.23, 49746, 80 LIQUIDWEBUS United States 15->53 55 3 other IPs or domains 15->55 57 System process connects to network (likely due to code injection or exploit) 15->57 59 Uses netstat to query active network connections and open ports 15->59 19 NETSTAT.EXE 15->19         started        22 Qdysoqy.exe 13 15->22         started        25 Qdysoqy.exe 13 15->25         started        signatures10 process11 dnsIp12 69 Self deletion via cmd delete 19->69 71 Modifies the context of a thread in another process (thread injection) 19->71 73 Maps a DLL or memory area into another process 19->73 27 cmd.exe 1 19->27         started        39 www.kotadiainc.com 22->39 41 kotadiainc.com 22->41 75 Multi AV Scanner detection for dropped file 22->75 77 Tries to detect virtualization through RDTSC time measurements 22->77 43 www.kotadiainc.com 25->43 45 kotadiainc.com 25->45 signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 07:27:45 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iecxchv76ez26uyeauvb6zuwnpsbcvrw24d762za46ck6k653irq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ab54e46be8e8a1b7e66be9bed5492e2cb5c4112e548442e209954affc2dc374
Formbook
43368f8d0f777c8f0a9fb5dc2ec89f131275873935098ff8a12be41cd2161ecf
Formbook
8b4049ea3937e355ad9a551795afcb621fb56991ffc6f1db746861acfd7d6a46
Formbook
9b2ccbdf764922ff44a99056461539087a21d4ace577956e8659ca65eb5015d1
Formbook
b09fdc39338aacafb7eb0163757d2b9863f78e5467af017ff4ad2f09e0e266a2
Formbook
b0a0d1d399e98e48cae6a87c280339bc1b0d1c22f84ae589e0c3dca78e76d108
Formbook
c51d0fcb5c1fe7fdd146d5216ad3108fe0ad9baba0fda491a9b7a4f4a33b8801
Formbook
c71e73a5006f03bf63ad6099f034a3d19a130a6893979c43318eca2cb6bfd224
Formbook
d6fa87fb59dbf4de1d1d0af1062a41e6a9620b682ecdfc0eb91856e28b9ea1de
Formbook
+ 8'649 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b6cu loader persistence rat
Link:
https://tria.ge/reports/210902-q14jdap6jj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.xn--marketingrevolucin-61b.com/b6cu/
Unpacked files
SH256 hash:
4e1202f3e7e04b0b3ca1df164bf5381f24063c142317e774d4e5d88b2b3ac744
MD5 hash:
aa23dee2c34813d67fe9c67ec784782a
SHA1 hash:
10b2e7af7cb9d6f852e6d607875a8c9613538930
Link:
https://www.unpac.me/results/ccc1bf23-0bd3-48b2-83c0-12a733a5ad0a/
SH256 hash:
4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23
MD5 hash:
77c021343fcf46caa2347820d775ee92
SHA1 hash:
0cfd9f0d8355ac4785a1109c57213df620a1882f
Link:
https://www.unpac.me/results/ccc1bf23-0bd3-48b2-83c0-12a733a5ad0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4105711ebff133af5304052a1f66966be4115636d707ff6b20e784af2bddda23

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184708/

Comments