MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f
SHA3-384 hash: cdcd444b23fd260bf48d1ebbbdfc4e095113ba60223592b355b40665ab7beafcfe513c87986071794a4732ed743307e1
SHA1 hash: c6fede48ee4b3839b12a46b1c1e72e602cc7748b
MD5 hash: 079787bc91a1990b5e57903253c822f4
humanhash: finch-oklahoma-skylark-thirteen
File name:Racun je u prilogu.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:727'552 bytes
First seen:2021-11-24 20:26:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb3e9d8cf19100c077e1fdd127bcd369 (3 x Formbook, 1 x BitRAT)
ssdeep 12288:g6Hvy5le1KrvnEWkPpgiVymUqmCRb3seJ1B8ZDfwUCm0gRS+:g6PWleMvnEW0pgiJUUx3zJ1BM7cH
Threatray 9'719 similar samples on MalwareBazaar
TLSH T11FF46B62E9C50873C0365A39DD4BEFFC86713E292D7EA80A9ED06E0C4F751916A235D3
File icon (PE):PE icon
dhash icon 342c6c9c97cc6493 (3 x Formbook, 1 x BitRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Racun je u prilogu.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 20:42:06 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/648937a1-70b9-44fa-97fd-332ff8b72d41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit formbook keylogger packed wacatac
Link:
https://www.filescan.io/uploads/619ea018b71ceed4152ef7d7/reports/a835cea5-f5c1-4c89-9829-887b5646d183/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c95662b-7d43-4253-a846-35cbdbff5e0d
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895752
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528230 Sample: Racun je u prilogu.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 9 other signatures 2->73 10 Racun je u prilogu.exe 1 18 2->10         started        process3 dnsIp4 57 cdn.discordapp.com 162.159.129.233, 443, 49740, 49741 CLOUDFLARENETUS United States 10->57 41 C:\Users\Public\Libraries\...\Rahqznzb.exe, PE32 10->41 dropped 43 C:\Users\...\Rahqznzb.exe:Zone.Identifier, ASCII 10->43 dropped 93 Writes to foreign memory regions 10->93 95 Allocates memory in foreign processes 10->95 97 Creates a thread in another existing process (thread injection) 10->97 99 Injects a PE file into a foreign processes 10->99 15 mobsync.exe 10->15         started        file5 signatures6 process7 signatures8 101 Modifies the context of a thread in another process (thread injection) 15->101 103 Maps a DLL or memory area into another process 15->103 105 Sample uses process hollowing technique 15->105 107 2 other signatures 15->107 18 explorer.exe 2 15->18 injected process9 dnsIp10 45 influenzerr.com 34.98.99.30, 49812, 80 GOOGLEUS United States 18->45 47 endpoint.mykajabi.com 104.18.28.12, 49810, 80 CLOUDFLARENETUS United States 18->47 49 8 other IPs or domains 18->49 75 System process connects to network (likely due to code injection or exploit) 18->75 22 Rahqznzb.exe 13 18->22         started        26 Rahqznzb.exe 13 18->26         started        28 systray.exe 18->28         started        30 2 other processes 18->30 signatures11 process12 dnsIp13 51 162.159.134.233, 443, 49742, 49745 CLOUDFLARENETUS United States 22->51 53 cdn.discordapp.com 22->53 77 Multi AV Scanner detection for dropped file 22->77 79 Writes to foreign memory regions 22->79 81 Allocates memory in foreign processes 22->81 32 logagent.exe 22->32         started        55 cdn.discordapp.com 26->55 83 Creates a thread in another existing process (thread injection) 26->83 85 Injects a PE file into a foreign processes 26->85 35 logagent.exe 26->35         started        87 Modifies the context of a thread in another process (thread injection) 28->87 89 Maps a DLL or memory area into another process 28->89 91 Tries to detect virtualization through RDTSC time measurements 28->91 37 cmd.exe 1 28->37         started        signatures14 process15 signatures16 59 Modifies the context of a thread in another process (thread injection) 32->59 61 Maps a DLL or memory area into another process 32->61 63 Sample uses process hollowing technique 32->63 65 Tries to detect virtualization through RDTSC time measurements 32->65 39 conhost.exe 37->39         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 12:49:33 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifdju5e5uupivj7b5ikzaqn7ot3rfxkpepyhmgepkr7obqhxsm7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6402f4385282298774063f11374e0162643b5d2eaa42b5a5878755b7f97e9e24
Formbook
839d28f4d38455750ddf9ddffdd57d0cc6ee009714f407a8698e65e96eb9fa71
Formbook
8bc32885f532e286073afa7781733d97338f3bab7b22f55680b38fe1926d103b
Formbook
a192572433f8f1a41f0035e040f0f455608b6eb9695cbb87c9734f3a4bf7d4cc
Formbook
b6788527f99a436b0e8925eb14c8800ced61fd406edd4182aa00072b3f74f39e
Formbook
c6dae6493723d83bbbad1d1c66384aea85bc0664ca2bb6f796a6ce02b7a85a33
Formbook
d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758
Formbook
d90b2ee420fc51d84a0c3c3fe2ae4e13b6313cd030be264440538a396dfe7956
Formbook
+ 9'709 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:3nop persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/211124-y8e57agha5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Unpacked files
SH256 hash:
c0d655ca0862ee8f069564e3e7fcb17d930e0c877a31e749f4ad1b73a38e855a
MD5 hash:
7f01373693adbbd15ca15fff811a2c1a
SHA1 hash:
bf4ef40f0feaf42aeac4767ff93bfe83e1f0c89d
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/1c7598aa-67f5-45e3-990c-b50ac2141b6a/
Parent samples :
bfbe11d6ffb3c82c59ac2cf85176583ff2ea5449d926584a59181286611f48f3
22e4c6c1d3eb1e8a93d2b36b152ef39cff53bc933ff80153057788fadf6615db
839d28f4d38455750ddf9ddffdd57d0cc6ee009714f407a8698e65e96eb9fa71
9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f
413e8df7f149aa643aaa1ef70e953ab2112827b652f1cf05b6420ed6a119962d
34443c2f4cf165f96c3eaffb93f2a7b3628ebed8ed119b3ef2ad3e5dc450e0a0
fe367e5f3b5894117d3b699784bc5da3cb4083608c94879895b279b2bc2f32a4
SH256 hash:
41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f
MD5 hash:
079787bc91a1990b5e57903253c822f4
SHA1 hash:
c6fede48ee4b3839b12a46b1c1e72e602cc7748b
Link:
https://www.unpac.me/results/1c7598aa-67f5-45e3-990c-b50ac2141b6a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/41469a749da5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 41469a749da51e8aa7e1ea159041bf74f712dd4f23f076188f547ee0c0f7933f

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/209188/

Comments