MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44c3dc491f609f0bfe310768c24f6a9e8dc1980284aff9d1aa052f7b0e0f62c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44c3dc491f609f0bfe310768c24f6a9e8dc1980284aff9d1aa052f7b0e0f62c7
SHA3-384 hash: 8126fabcf91bd0a907f2931ba650def0adbe361f201d800f3315c3e4aea4e2f20b34c0a6363582cc08ea772e7a06131a
SHA1 hash: faaea5ec3a5ddb606bc0fcee8a7d5b06f23eb5d6
MD5 hash: 62dc119d183f1e9af0b89d441e749e70
humanhash: wolfram-tango-stream-hotel
File name:Contessa_upit_9022022,xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'507'840 bytes
First seen:2022-02-09 11:54:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:zn1kzmVQIggpufQlNiIE77jAzAbQwbuqK7UOkjb:x2RIgg0oagwK5UOqb
Threatray 13'027 similar samples on MalwareBazaar
TLSH T1C865BE1436E65536E06A06F579ACD785077BAD026A7BDB2D1CB833D93EF33508E80362
File icon (PE):PE icon
dhash icon b464ecf0e0f0f4c4 (3 x AgentTesla, 2 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239485/
Detection(s):
Win.Malware.Apost-7548399-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
DNS request
Creating a file
Сreating synchronization primitives
Launching cmd.exe command interpreter
Reading critical registry keys
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6203ab65845a69d773516e69/reports/78c91b33-fd12-4436-8091-026e3931d42b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2393a812-399e-4973-9e21-b8e33d23c096
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936810
Behaviour
Behavior Graph:
n/a
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/44c3dc491f609f0bfe310768c24f6a9e8dc1980284aff9d1aa052f7b0e0f62c7/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 10:36:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itb5ysi7mcpqx7rra5umet3kt2g4dgacqsx7tunkauxxwdqpmldq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6f2d71733b4bcab1a04a40168f2900963a9f65c0081a6f1d1832d18b6bae16bb
Formbook
7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1
Formbook
7b73a6d63c4835022e71c1630ae42dbeaadc566532b1b85757b385246e19fcbe
Formbook
8c16cbf4df8137db774d2cb97cc386b052ca7a0b77ee1572fe7a5fc9a5a22ae0
Formbook
d0ce91945a10abde8e7569759e78430c80fb8fa42589dfaccf565cf6895f8846
Formbook
d5f77ba2b2ad58cfad5ae3111994ad0f889967e6d4f67ecb9cedf1b8f10a6149
Formbook
e04c2819db3610dc0498ae022644d1b2ab06927cc4fadf23b200af70b551d6d2
Formbook
f556af7cd24cc02eba24924d19c42966a1a98b84dfabd78c523c55f492d54acd
Formbook
f61f02c5be2ef5988f474ffc148b099942ab8582cd4aac8b3c991436f6230592
Formbook
+ 13'017 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ch24 evasion rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220209-n2xfsaadcj/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
d9bb4a2e1032a73ac9f7de6b9244ae797578c862b556cf823d2f51d03993749c
MD5 hash:
e529b8a0999d6154778ab52ccbe4abdc
SHA1 hash:
8ef0a610dfe0c6c059ec13e484a04fcf2beb2f40
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9f195667-c724-49ee-b28e-ef53df05b357/
SH256 hash:
a5119578a5a4b9370eabd41312bf4328b30249a4e8b2a51b88a67d96b43ac9d2
MD5 hash:
d6342dd39bf2131c0b56d05b9fcf6b34
SHA1 hash:
3e20ba68d3f4165d8f5128395a7bb7874e6fe138
Link:
https://www.unpac.me/results/9f195667-c724-49ee-b28e-ef53df05b357/
SH256 hash:
1d33fe054ff5bb0fb28af3d90c3a4d26dc2666b536d0e625835632da2576d4dd
MD5 hash:
52fb31a21857919ca1c9df18a6762cff
SHA1 hash:
e636c299964b528d614d86e89aaf56d9c1657f06
Link:
https://www.unpac.me/results/9f195667-c724-49ee-b28e-ef53df05b357/
SH256 hash:
1e3e1621846a9adfb3e13622aae95014e06a2752ccf415b17d8604243ba63228
MD5 hash:
4a1f6e70084dc658295efc868327d76a
SHA1 hash:
97b962b4f47bc6262716b92fbd13e1c34e8e4e21
Link:
https://www.unpac.me/results/9f195667-c724-49ee-b28e-ef53df05b357/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/9f195667-c724-49ee-b28e-ef53df05b357/
SH256 hash:
44c3dc491f609f0bfe310768c24f6a9e8dc1980284aff9d1aa052f7b0e0f62c7
MD5 hash:
62dc119d183f1e9af0b89d441e749e70
SHA1 hash:
faaea5ec3a5ddb606bc0fcee8a7d5b06f23eb5d6
Link:
https://www.unpac.me/results/9f195667-c724-49ee-b28e-ef53df05b357/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/44c3dc491f60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 44c3dc491f609f0bfe310768c24f6a9e8dc1980284aff9d1aa052f7b0e0f62c7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/239485/

Comments