MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c062db10b19973d6a2228e56b40cd1139cb4ff38e2d49894bef25ca65e21475. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c062db10b19973d6a2228e56b40cd1139cb4ff38e2d49894bef25ca65e21475
SHA3-384 hash: 3a322c85eb4b9da994e7a4bb2d0d843e4ef914dda771c68a690847b8d890b2e3efccf608383c700e53de71515a5a10b2
SHA1 hash: 62633a2e71973594444e37016666c2b976111ec5
MD5 hash: 1703cf594a36dbdcaa8a06726080c6dd
humanhash: jupiter-king-crazy-pasta
File name:1703cf594a36dbdcaa8a06726080c6dd
Download: download sample
Signature Formbook
Create hunting rule
File size:185'856 bytes
First seen:2020-10-25 08:11:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:ontVyqWr9N22azOu+OsM5T4yYqmrhc1uMJt8rZ3USnsH8C66E:BZu/+OFipqmrhIbve3dnU8f
Threatray 2'691 similar samples on MalwareBazaar
TLSH 1C049E32D642C031E2B251B5B6BD1B7B483D0E34329994EAE3E526E16EF45E5B12930F
Reporter seifreed
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75665/
Detection(s):
Win.Malware.Formbook-7399661-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/509363
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Creates an undocumented autostart registry key
Detected FormBook malware
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303806 Sample: TOPfZ5jA3D Startdate: 25/10/2020 Architecture: WINDOWS Score: 100 40 www.reubenarcherrocks.com 2->40 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for dropped file 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 8 other signatures 2->70 10 TOPfZ5jA3D.exe 2->10         started        signatures3 process4 signatures5 72 Modifies the context of a thread in another process (thread injection) 10->72 74 Maps a DLL or memory area into another process 10->74 76 Sample uses process hollowing technique 10->76 78 2 other signatures 10->78 13 explorer.exe 6 10->13 injected process6 dnsIp7 42 ghs.googlehosted.com 172.217.168.83, 49736, 80 GOOGLEUS United States 13->42 44 www.tumblrdatinggame.com 13->44 46 2 other IPs or domains 13->46 36 C:\Users\user\AppData\...\_x88rnpp1bnha.exe, PE32 13->36 dropped 38 C:\Program Files (x86)\...\_x88rnpp1bnha.exe, PE32 13->38 dropped 82 System process connects to network (likely due to code injection or exploit) 13->82 84 Benign windows process drops PE files 13->84 18 msiexec.exe 1 18 13->18         started        21 _x88rnpp1bnha.exe 13->21         started        23 raserver.exe 13->23         started        25 autoconv.exe 13->25         started        file8 signatures9 process10 signatures11 48 Detected FormBook malware 18->48 50 Creates an undocumented autostart registry key 18->50 52 Tries to steal Mail credentials (via file access) 18->52 54 Tries to harvest and steal browser information (history, passwords, etc) 18->54 27 cmd.exe 2 18->27         started        30 cmd.exe 1 18->30         started        56 Modifies the context of a thread in another process (thread injection) 21->56 58 Maps a DLL or memory area into another process 21->58 60 Sample uses process hollowing technique 21->60 62 Tries to detect virtualization through RDTSC time measurements 23->62 process12 signatures13 80 Tries to harvest and steal browser information (history, passwords, etc) 27->80 32 conhost.exe 27->32         started        34 conhost.exe 30->34         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c062db10b19973d6a2228e56b40cd1139cb4ff38e2d49894bef25ca65e21475/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-25 03:15:07 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqdc3mildglt22rcfdswwqgnce44wt7trywutckl54s4uzpccr2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c2e455f5983d94458f8222bda189794e9095460e0df8764d4bd4787fc217a52
Formbook
28782ca0edd1fa079dfa6f81b89637256857d42a43460117a37d53ccd622bdbd
Formbook
3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117
Formbook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
Formbook
70fce2b9eb9360b8733c9b77032bb566399d7ed9c2fb99b0cf2c823e93485bd9
Formbook
7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37
Formbook
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
Formbook
a76588c6088ba6b56904fa50df8547ff3b93a67b520769d73e92b04bb8d718d6
Formbook
b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b
Formbook
bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97
Formbook
+ 2'681 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201025-wn4myg94ka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Malware Config
C2 Extraction:
http://www.fex-tracks.com/xczm/
Unpacked files
SH256 hash:
4c062db10b19973d6a2228e56b40cd1139cb4ff38e2d49894bef25ca65e21475
MD5 hash:
1703cf594a36dbdcaa8a06726080c6dd
SHA1 hash:
62633a2e71973594444e37016666c2b976111ec5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2203a204-1c27-431b-b2b1-5169e879281d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c062db10b19973d6a2228e56b40cd1139cb4ff38e2d49894bef25ca65e21475

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/75665/

Comments