MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347
SHA3-384 hash: 08a0a7a989bf44b3bb938539b3fb9b89660723726c856d59f7f45058bb31c53782bd01dff016a2e57d9be9b7179fcd30
SHA1 hash: 1e347885201e85b6acf14d8f6862a0aa6ffacb91
MD5 hash: c2f8614d05df1b55f07d2d9626cdc045
humanhash: yankee-diet-zebra-carpet
File name:Statement for MCF and SSL890935672002937383920028202.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'061'888 bytes
First seen:2021-06-21 14:46:46 UTC
Last seen:2021-06-21 15:58:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:VEHHip1ulNGMsNYoTYKHog4tcmmiBmcbrH:aHAuzGbNYY4i/c
Threatray 5'743 similar samples on MalwareBazaar
TLSH 9735BE220ECF436DE2754FB517B0BC8782B6ADAA3705A2153DC031ADCA335D9D9EE512
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Statement for MCF and SSL890935672002937383920028202.exe
Verdict:
Malicious activity
Analysis date:
2021-06-21 14:50:18 UTC
Tags:
trojan formbook stealer opendir
Link:
https://app.any.run/tasks/6925ae49-a463-474f-84d3-b6943d93c537

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167308/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19150.13879.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2dc14da8-9e5a-4f93-b1a2-575b7e145cf3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805395
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 437806 Sample: Statement for MCF and SSL89... Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 27 www.thewhealthyou.com 2->27 29 www.antiracism4realpeople.net 2->29 31 2 other IPs or domains 2->31 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 9 Statement for MCF and SSL890935672002937383920028202.exe 3 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 Statement for MCF ...83920028202.exe.log, ASCII 9->25 dropped 57 Writes to foreign memory regions 9->57 59 Injects a PE file into a foreign processes 9->59 16 RegSvcs.exe 9->16         started        33 www.arcsolutions.net 64.190.62.111, 49738, 80 NBS11696US United States 13->33 35 sxfhdb.com 23.230.206.228, 49739, 80 EGIHOSTINGUS United States 13->35 37 10 other IPs or domains 13->37 61 System process connects to network (likely due to code injection or exploit) 13->61 63 Uses netsh to modify the Windows network and firewall settings 13->63 19 netsh.exe 13->19         started        file6 signatures7 process8 signatures9 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Maps a DLL or memory area into another process 16->41 43 Sample uses process hollowing technique 16->43 45 Queues an APC in another process (thread injection) 16->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 11:41:11 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nagumco62y4omf5z6gqa72o462nw4uc7mfyyffq3qsjn7ok5kndq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
23cc105fad71d71dced93e63fdbab55354b4dc9700fb0de855acedaf5723ed9c
Formbook
3643c16e7017696ca2809399d3edbf2f7f7298e4ef3246951fac256e86176716
Formbook
3cec9bd714745b020366af9537184c619794ef4dee36c99093f53b243c97dcc1
Formbook
617b258c08311b306f17228bf1df3f322d3afe24e7bb94c641e54a671b902452
Formbook
6838e750e4d6b197819aedaeb8e0a183d5fb790da0d6d5e426d99f09bae758d9
Formbook
7e9997ea452090062e0512decd987ccd4ad16cc04d8bea777a4c8929b5ba85aa
Formbook
8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3
Formbook
87fb0ca5b0ebcc0dc80aeca8065b2e2bf1ec14cade124316227646bc59ad237c
Formbook
b8ae452aae57b904e1058a00c0a22dc8c9fa86e5b042d7fe5c812f724b7531a6
Formbook
e1fee7ee20f6d3bd6e913baeae737c558014454223d552c125c3f963e7c1a843
Formbook
+ 5'733 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210621-nqa721agm6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.c4poc.com/3b4e/
Unpacked files
SH256 hash:
413ede98547bd5e1b557100cb815b3568ecee78f21c02540523b26cac30936c9
MD5 hash:
cd6aea4416a9b324eb3a7b3386f14364
SHA1 hash:
47c3245ddff9491ff9216d3a20e5e2b2e2f31da3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6f4b1cac-4f63-44ae-9b85-d79fb19946f4/
Parent samples :
680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347
930ff364210f0d0e18cf5ead705f1b8724512ebf556cf4c64dc69783d7a66197
SH256 hash:
18a01cfee65098b0cdc7b92f49c87446aca438513dc1e83e3572ed690dbe9dac
MD5 hash:
93a1da3ed01bfa2ef4808d086a4d47a2
SHA1 hash:
35baa372c64d6f903ffeb77566d2db3bd43510bb
Link:
https://www.unpac.me/results/6f4b1cac-4f63-44ae-9b85-d79fb19946f4/
SH256 hash:
7aba500b1852617b40e410a9dec5eb8dc701ad29a2592527bddd7601d80f44d4
MD5 hash:
8c908162a575c3192237c4deaa5a74b8
SHA1 hash:
124b8231f7f9562d3de72c8f0d4eb41001f0fa2f
Link:
https://www.unpac.me/results/6f4b1cac-4f63-44ae-9b85-d79fb19946f4/
SH256 hash:
680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347
MD5 hash:
c2f8614d05df1b55f07d2d9626cdc045
SHA1 hash:
1e347885201e85b6acf14d8f6862a0aa6ffacb91
Link:
https://www.unpac.me/results/6f4b1cac-4f63-44ae-9b85-d79fb19946f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 680d4609ded638e617b9f1a00fe9dcf69b6e505f617182961b8492dfb95d5347

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167308/

Comments