MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60f99e1f856338db7ae989eec29b9ba7f7f15521dd59497545cbb130f98cb377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60f99e1f856338db7ae989eec29b9ba7f7f15521dd59497545cbb130f98cb377
SHA3-384 hash: 7e029fd3d48deac8f4260036918cd10cbe5b0e1e1205a514c013c3ad146be6d165d7c710bb46f6986e02625290d5482d
SHA1 hash: 49cf7e3194afe69dfd663b0e693b479f25cb072c
MD5 hash: 22d99b4cb39648a011bacaffb537af10
humanhash: butter-monkey-skylark-sad
File name:Doc1122536627382323 PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:548'352 bytes
First seen:2022-01-13 13:31:45 UTC
Last seen:2022-01-13 15:32:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:itU8asOA1rI6lda/l47qeCXBlWszBXMSghhcTLblczOLG91z6PB:eZ17a/W7qeCWsX2O
Threatray 12'736 similar samples on MalwareBazaar
TLSH T12DC4AE6C369071DEC86BCA768A645C60AA717C77470BD207A053319DDA1EAD7CF206F3
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Doc1122536627382323 PDF.exe
Verdict:
Malicious activity
Analysis date:
2022-01-13 13:39:50 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8802a5e4-88a7-4aab-8ec8-1d87bd25e4ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219044/
Detection(s):
SecuriteInfo.com.Artemis22D99B4CB396.2529.19959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61e029dd1883c5ba4ec7d900/reports/56e84100-1c81-46c4-989d-4218055f018c/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0f7d18d-0e60-4c7d-b99e-1979f416c88d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920104
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552578 Sample: Doc1122536627382323 PDF.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 11 other signatures 2->52 10 Doc1122536627382323 PDF.exe 4 2->10         started        process3 file4 38 C:\Users\...\Doc1122536627382323 PDF.exe.log, ASCII 10->38 dropped 66 Adds a directory exclusion to Windows Defender 10->66 68 Injects a PE file into a foreign processes 10->68 14 Doc1122536627382323 PDF.exe 10->14         started        17 powershell.exe 24 10->17         started        signatures5 process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Maps a DLL or memory area into another process 14->74 76 Sample uses process hollowing technique 14->76 78 Queues an APC in another process (thread injection) 14->78 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.folkinger.com 107.187.86.151, 49782, 49783, 49784 EGIHOSTINGUS United States 19->40 42 www.douwhy.com 154.95.158.117, 49809, 49811, 49812 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 19->42 44 www.vihyvua.xyz 172.67.151.73, 49816, 49817, 49818 CLOUDFLARENETUS United States 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 56 Performs DNS queries to domains with low reputation 19->56 25 mstsc.exe 18 19->25         started        signatures10 process11 file12 34 C:\Users\user\AppData\...\1P1logrv.ini, data 25->34 dropped 36 C:\Users\user\AppData\...\1P1logri.ini, data 25->36 dropped 58 Detected FormBook malware 25->58 60 Tries to steal Mail credentials (via file / registry access) 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 64 3 other signatures 25->64 29 cmd.exe 2 25->29         started        signatures13 process14 signatures15 70 Tries to harvest and steal browser information (history, passwords, etc) 29->70 32 conhost.exe 29->32         started        process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60f99e1f856338db7ae989eec29b9ba7f7f15521dd59497545cbb130f98cb377/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 13:32:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=md4z4h4fmm4nw6xjrhxmfg43u737cvjb3vmus5kfzoytb6mmwn3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1c9e70c025667083ad61d9180d1e41872e2da65ef4e3854a6c71501976481051
FormBook
3436cc5fe025669ba4a7637cb89610951772a32773536ac0302cd43653d7348a
FormBook
6bb763ffd1ca484344f2a02df3f9e6bddc18a0f1fcd5d58002ad16b82b36db90
FormBook
6c0a4d3b03b1331dc9c31134c621f45bcd9bf6bc6818d61b3d7f455bf65b0b66
FormBook
76cd2fa50f3435ac673d7ec4bd24d06d3d461df75f968a2b49d6790ac5035655
FormBook
9619b00c35f4279665c6f8065b8ad590c2af0f5f050f7f02d650934d565f931e
FormBook
a97ce8a55897b2f476c343a3cb5234e94848cdb3a7a815bb1c31c48dfaf794b7
FormBook
e22a659b73048b31aba79fce8de22ddd5a287494b763fec8d5779869dfebbf31
FormBook
f0427effe53373b51d8b98f19d87a1e39cbcc49201d307526b5ced3406fed4e0
FormBook
f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1
FormBook
+ 12'726 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:aq88 rat spyware stealer trojan
Link:
https://tria.ge/reports/220113-qszwnaaec2/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Unpacked files
SH256 hash:
bd17ae3bcbd0bf35a423e29584574f384f9afc672ccbafa3bacb13bc2d7e2d69
MD5 hash:
2c54a7486b3d2af8166bca5d41f9e049
SHA1 hash:
76e28c64732e849abfb5cfab7954e399173a9f77
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a259580e-9e71-415a-a7d1-b8cf8a5b5ded/
Parent samples :
3436cc5fe025669ba4a7637cb89610951772a32773536ac0302cd43653d7348a
60f99e1f856338db7ae989eec29b9ba7f7f15521dd59497545cbb130f98cb377
92f1366e3d4f6b1a6e86defe284d087586ae9e5b58d0398ea98182a3dac165a5
SH256 hash:
1102d76935981cede43a9b30cd969917b4497105d110107916f1fe561eae91a7
MD5 hash:
25d823ece88c612e86a8369b0c2aadc4
SHA1 hash:
7db8f463fc7a4e2d4a1850b5e1ff17983679fa89
Link:
https://www.unpac.me/results/a259580e-9e71-415a-a7d1-b8cf8a5b5ded/
SH256 hash:
518e78155192231174f8a0fdae0802a977400cdecf7956ddc85a783df6eb1ce8
MD5 hash:
2e5b9fdcc0b1be48c3d37d591e3d04e3
SHA1 hash:
4886c77a8303b56982191d153696463e19e86451
Link:
https://www.unpac.me/results/a259580e-9e71-415a-a7d1-b8cf8a5b5ded/
SH256 hash:
60f99e1f856338db7ae989eec29b9ba7f7f15521dd59497545cbb130f98cb377
MD5 hash:
22d99b4cb39648a011bacaffb537af10
SHA1 hash:
49cf7e3194afe69dfd663b0e693b479f25cb072c
Link:
https://www.unpac.me/results/a259580e-9e71-415a-a7d1-b8cf8a5b5ded/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/60f99e1f8563/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60f99e1f856338db7ae989eec29b9ba7f7f15521dd59497545cbb130f98cb377

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219044/

Comments