MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4
SHA3-384 hash: 9c490f4b4b9481c64422eef643d4239b88b485a76748e60288a71734d2bb6930d7261dea93f86d687512da9caf090dfa
SHA1 hash: f662319b3f121a1c9b4fd27081fa8311d32d58c3
MD5 hash: 0e793402ff4ee0d3e6b3e5edae0c8652
humanhash: lake-purple-maryland-west
File name:RTV900021234.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:206'336 bytes
First seen:2020-12-22 10:50:32 UTC
Last seen:2020-12-23 02:47:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6268f04e234d87c0f6d247f77774934b (3 x SnakeKeylogger, 1 x Formbook)
ssdeep 3072:bLTn8XSbHmlu0tZGG5VwnbIvkAjMtmAPALeC5gtwJ7VxepZns5cdZabAlLp:XTn8iotZGS+bIVfWAScan7ZabAll
Threatray 3'302 similar samples on MalwareBazaar
TLSH 8514120AD5430CAACBC478B7733F707FEA9B224483D524DA995068B85D79BD5F22283D
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
F839949.zip
Verdict:
Malicious activity
Analysis date:
2020-12-21 15:19:47 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/c8fe8788-e889-495f-a460-d95c3550f34e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108828/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.29908.29884.31999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568140
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 333143 Sample: RTV900021234.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 34 www.jutoxnatural.com 2->34 36 td-balancer-euw2-6-109.wixdns.net 2->36 38 3 other IPs or domains 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 4 other signatures 2->48 11 RTV900021234.exe 2->11         started        signatures3 process4 signatures5 56 Maps a DLL or memory area into another process 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 RTV900021234.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 28 evolvestephanieperreault.com 162.241.24.62, 49747, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 www.unitvn.com 112.213.89.130, 49746, 80 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 17->30 32 7 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 12:34:29 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqb4zhflycw3zwyvs5sq7h6f3vodwm4kb2cvrcd2al53hpumgtca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
073c6184b73bb8ae675774bd64e81e1023f6df992fb763358f9653d980e4b55e
Formbook
2047ecb45a1bd7dad219077cd5446bffc34fdc7acad3d3293c576fc187b08996
Formbook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
Formbook
6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
Formbook
889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b
Formbook
8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a
Formbook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
Formbook
cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942
Formbook
e8d41df74484529065bad33443225cf40b05423b7cd4b0af478043c13394750e
Formbook
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
Formbook
+ 3'292 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201222-z4elz37vkn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.unitvn.com/krc/
Unpacked files
SH256 hash:
5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4
MD5 hash:
0e793402ff4ee0d3e6b3e5edae0c8652
SHA1 hash:
f662319b3f121a1c9b4fd27081fa8311d32d58c3
Link:
https://www.unpac.me/results/d19295c1-ec91-4fd1-b026-d9f25aac3711/
SH256 hash:
df1a174033123b25388d9e18ffaaee450a1b1823fa0e7b8eb5c7fa72f69edc1f
MD5 hash:
5c748f5122ee2a296257804d58900801
SHA1 hash:
9ef3d9c557b23beceaab5eabcd7e28c4eb7bd9e5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d19295c1-ec91-4fd1-b026-d9f25aac3711/
Parent samples :
5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4
59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679
4f16f7da4670e165f0f978457775531b15cd2fb4c9e21b0a511eaf2e6771988e
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 432dcc9a9872334a8baac477bde9c53548adf64d47c30d940cbc1ea436adcf37

Formbook

Executable exe 5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4

(this sample)

  
Dropped by
MD5 f5775ee00ca7671f29a52fb286f63df5
  
Dropped by
SHA256 432dcc9a9872334a8baac477bde9c53548adf64d47c30d940cbc1ea436adcf37
  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108828/

Comments