MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b14f39335372e62c5291a0934b0102d14e050a24d5f2f15c8a8e9e96a9e732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41b14f39335372e62c5291a0934b0102d14e050a24d5f2f15c8a8e9e96a9e732
SHA3-384 hash: 80cecf6d4020e3f9f9fb25c8a2fb5fbafab2084531413dd700b2deca98452cdd6948bf4e97c5aad670a2f4ff435d338a
SHA1 hash: bc61c049f98a9a08e152cec8b209fc173769a9f9
MD5 hash: e411596e3e09f668247d72c0bd96bb18
humanhash: king-mountain-illinois-connecticut
File name:ctm$18,500.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:537'600 bytes
First seen:2022-07-26 08:33:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:SCfP2iN/2iNh73F/xsu+tNizUycljZcdF5K2wGjImdFD1kPRxliW1:tfP1J1L71KcUjnc5Dwwd31kPRrh
TLSH T1B2B4129C12F84B0CEAFB43F52CEC92152BB5700995D0D52BBDE122DEED647B48661B23
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/294207/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Win.Dropper.Formbook-9954487-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62dfa708e1151aa3633e64b2/reports/097662f8-76b1-4a26-8ca9-6d6246c32825/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27b2cbbe-ce19-4859-8455-811a96097ba6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040898
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 673392 Sample: ctm$18,500.exe Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 42 www.szketong.com 2->42 44 www.hannahtraveling.com 2->44 46 hannahtraveling.com 2->46 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 13 other signatures 2->62 11 ctm$18,500.exe 3 2->11         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\ctm$18,500.exe.log, ASCII 11->40 dropped 80 Tries to detect virtualization through RDTSC time measurements 11->80 82 Injects a PE file into a foreign processes 11->82 15 ctm$18,500.exe 11->15         started        signatures6 process7 signatures8 84 Modifies the context of a thread in another process (thread injection) 15->84 86 Maps a DLL or memory area into another process 15->86 88 Sample uses process hollowing technique 15->88 90 Queues an APC in another process (thread injection) 15->90 18 explorer.exe 6 15->18 injected process9 dnsIp10 48 mytt-gmbh.com 81.169.145.163, 49859, 80 STRATOSTRATOAGDE Germany 18->48 50 www.olgache.xyz 185.137.235.193, 49941, 80 SELECTELRU Russian Federation 18->50 52 24 other IPs or domains 18->52 36 C:\Users\user\AppData\...\configepxtht4x.exe, PE32 18->36 dropped 38 C:\Program Files (x86)\...\configepxtht4x.exe, PE32 18->38 dropped 64 System process connects to network (likely due to code injection or exploit) 18->64 66 Benign windows process drops PE files 18->66 68 Performs DNS queries to domains with low reputation 18->68 23 cmmon32.exe 1 12 18->23         started        file11 signatures12 process13 dnsIp14 54 www.gp-privacy.net 23->54 70 Creates an undocumented autostart registry key 23->70 72 Tries to steal Mail credentials (via file / registry access) 23->72 74 Tries to harvest and steal browser information (history, passwords, etc) 23->74 76 3 other signatures 23->76 27 cmd.exe 2 23->27         started        30 cmd.exe 1 23->30         started        signatures15 process16 signatures17 78 Tries to harvest and steal browser information (history, passwords, etc) 27->78 32 conhost.exe 27->32         started        34 conhost.exe 30->34         started        process18
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/41b14f39335372e62c5291a0934b0102d14e050a24d5f2f15c8a8e9e96a9e732/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 04:44:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igyu6ojtknzomlcssgqjgsybaliu4biketk7f4k4rkhj5fvj44za._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:d89x loader persistence rat spyware stealer
Link:
https://tria.ge/reports/220726-kge48affgp/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Xloader payload
Xloader
Unpacked files
SH256 hash:
cc9fac4de0050a3e54160d3dfab9c8636e1b00fb734a536bbe29eda206ac61ca
MD5 hash:
2b1ca85a3532d5eb7ece17f5796b9027
SHA1 hash:
007449addcd6525ec175a5fd1870dbbe7934cf9e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
XLoader
Create hunting rule
Link:
https://www.unpac.me/results/a1ca074c-af36-4634-93d7-aa6c075e5faa/
Parent samples :
b01ea964fe231d0b56d71ca6b447a1d51a31530e307227ff44fa8552f86bf3d5
bbded5ef1924c5f0d3822b32dddb71ab05aa847f1210c0d263c8692ef4538fe9
c29b9d1075e86788bab4a9e75334f36de07c1feb22500759db93d9379c875171
41b14f39335372e62c5291a0934b0102d14e050a24d5f2f15c8a8e9e96a9e732
SH256 hash:
26f2f46666a22bd85b1e3078a976afe28fc50cd28bc44b8b6f707cd09ff21899
MD5 hash:
57d67b3c88a9592fd10cc4aa2265e64c
SHA1 hash:
a2e64b018589b4bb77b9882ba8286e5c319f0ee0
Link:
https://www.unpac.me/results/a1ca074c-af36-4634-93d7-aa6c075e5faa/
SH256 hash:
b3c9b7ae5d8ced3ce3161579bd7ea6877c16e071885429690535fa2e36d358ad
MD5 hash:
c6229071ffc320f89cc2d3dee061c7e2
SHA1 hash:
8db44cb1b8d690f3a7954db6dc78ca88f1012b8c
Link:
https://www.unpac.me/results/a1ca074c-af36-4634-93d7-aa6c075e5faa/
SH256 hash:
908f9df415a519ef2de727d0a57a22d4be4bf7b9bdd71083354fd072fa92714f
MD5 hash:
b8b860b9c78137e9f13e01dbd2d82080
SHA1 hash:
390ca332e925e57f1a2bee8b11b6a5763fca3a45
Link:
https://www.unpac.me/results/a1ca074c-af36-4634-93d7-aa6c075e5faa/
SH256 hash:
c0bd4227be3c402acaa9c352562426daa268ad46abc1bc6de8c8ba826f565b7c
MD5 hash:
656b39c404d925bb00c4bebf530bb8e5
SHA1 hash:
1c2f33a90def22a05e8ef228533fa31e1abdfaee
Link:
https://www.unpac.me/results/a1ca074c-af36-4634-93d7-aa6c075e5faa/
SH256 hash:
41b14f39335372e62c5291a0934b0102d14e050a24d5f2f15c8a8e9e96a9e732
MD5 hash:
e411596e3e09f668247d72c0bd96bb18
SHA1 hash:
bc61c049f98a9a08e152cec8b209fc173769a9f9
Link:
https://www.unpac.me/results/a1ca074c-af36-4634-93d7-aa6c075e5faa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/41b14f39335372e62c5291a0934b0102d14e050a24d5f2f15c8a8e9e96a9e732

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/294207/

Comments