MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e
SHA3-384 hash: 38cd5d64a08dbebca0a1462414bb97022775355d87f8db2e0d62832f0832b429ad7e21c073be2c3263baf5aebe4c6f14
SHA1 hash: 8067ed013d444cdee7053d5238e6e8e5f595de78
MD5 hash: ab7ab2d13f4338fea0c6b550c89ec9ad
humanhash: sodium-glucose-winter-carolina
File name:rtgs_2021-06-07_02-01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:334'336 bytes
First seen:2021-06-07 12:32:35 UTC
Last seen:2021-06-07 13:53:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 34a88fcee714364cfcbac54c6885bedd (2 x TeamBot, 2 x Formbook, 1 x DanaBot)
ssdeep 6144:jGSXEOD80ZSue8cIy4IjUj9Mqv9x03jLss08Sq:jGSXtrZSuO4IjU5Zvv03jLfS
Threatray 5'676 similar samples on MalwareBazaar
TLSH 9464AF10B7E1C035F5F616F45AB582E9A93E79B27F2890CF52C626EA46386E0DC30717
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rtgs_2021-06-07_02-01.exe
Verdict:
Malicious activity
Analysis date:
2021-06-07 12:36:27 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/9a4c001f-97fa-4e13-9e8e-1aa839b546b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/165009/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46441357.1526.31537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/798079
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430473 Sample: rtgs_2021-06-07_02-01.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 34 www.cashflowconfessions.com 2->34 36 www.swinnovationexpo.net 2->36 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 4 other signatures 2->48 11 rtgs_2021-06-07_02-01.exe 2->11         started        signatures3 process4 signatures5 56 Contains functionality to inject code into remote processes 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Injects a PE file into a foreign processes 11->60 14 rtgs_2021-06-07_02-01.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 6 14->17 injected process8 dnsIp9 28 www.bobdj99.com 91.195.240.94, 49730, 80 SEDO-ASDE Germany 17->28 30 www.zeozat.com 101.53.154.198, 49725, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 17->30 32 13 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Performs DNS queries to domains with low reputation 17->40 21 raserver.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-07 02:35:54 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwtorfw6tsbydsboc4jl45bikuwwpgtimr34tfl3ay7esnc4lupa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2642fecff2db22c3d6eaa889d838d52fbd765ad4a9a857aacb2e3ad6441f91c9
Formbook
3ec89e73e39d8f49eb7af879ca10a3b172a155b50cffd2e98dd4826c4284fd49
Formbook
6fac6e1f7f8cdd8cec52b2dd7a23fd434084c7d12ef0f04deaa52794d3612ef7
Formbook
9193d6cb634d0be563a786dbb165b8991093c451aac3a4d82c7bde0213f1e106
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
a429373a65c453931ad3cf7fcc897520d2ac11da688577e0dee6f4d36e7cc030
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
b60294d835ab78cd6edb940a020d476704f528f65b9e03559ed53cc182c808c8
Formbook
c9b6e262a0d1effd54b6ffcdc4f761d159e21b74afd02519aed342c1d7fac68e
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
+ 5'666 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210607-92qccxh42j/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.fabvegantravel.com/uecu/
Unpacked files
SH256 hash:
d71d2b821b6470caee60e41868a5d6f606c55fd43faaa648e014b5f6cc8731d9
MD5 hash:
8f013196b5c8203f8ad3257ded422322
SHA1 hash:
ae6b0c29744e65629293b3a7b8e74d994c4a1600
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c2dc97fd-eae1-4f51-b0e7-a5268eb2d626/
Parent samples :
3ec89e73e39d8f49eb7af879ca10a3b172a155b50cffd2e98dd4826c4284fd49
55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e
60b616aa073774570fe42a046db2ea9b5cd0c6d008f2e60f5902996460d8cf06
SH256 hash:
55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e
MD5 hash:
ab7ab2d13f4338fea0c6b550c89ec9ad
SHA1 hash:
8067ed013d444cdee7053d5238e6e8e5f595de78
Link:
https://www.unpac.me/results/c2dc97fd-eae1-4f51-b0e7-a5268eb2d626/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 55a6e896de9c8381c82e1712be7428552d679a686477c9957b063e49345c5d1e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/165009/

Comments