MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6898def472a85a7988f644d93880b2ab11915ceecd04ee345b49b54589564fee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6898def472a85a7988f644d93880b2ab11915ceecd04ee345b49b54589564fee
SHA3-384 hash: cafff1ae16e2afb7b7434826e18b590645064827678480436595a1d7283c8dc29fefc8d6427921163a09e929438c8eff
SHA1 hash: 14598d4ba752e16938acf3b927205cb20404a87f
MD5 hash: 8877c304368ff62890dd1658c18c5559
humanhash: cat-fanta-carolina-nineteen
File name:8877c304368ff62890dd1658c18c5559.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:731'136 bytes
First seen:2021-11-24 18:37:33 UTC
Last seen:2021-11-24 21:05:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d5a5a85102968ed0997ce91809ca5aad (3 x Formbook)
ssdeep 12288:wTDxfHlE1XHBC/qo3R7HaZRZEBTV3bXCRfwUCm0gRS+:w3RFIHBCN3hHWeBTUFcH
Threatray 742 similar samples on MalwareBazaar
TLSH T10AF47E61E2A14477C23B1E7DCE4F57A9AE6E7E003E24D1872DF81F8F8AB8193B505146
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO201808143_330542IMG_20200710_0008
Verdict:
Malicious activity
Analysis date:
2021-11-24 18:24:02 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/532b5d72-3c4b-4cc8-8218-764ed7782a37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.51722.29239.4731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/619e868db71ceed4152edab2/reports/9d60f3c9-d6b1-4f5d-98f1-508a85f9a0ac/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e159ac7d-a6bd-4efb-89e1-d36194d532ea
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/895696
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6898def472a85a7988f644d93880b2ab11915ceecd04ee345b49b54589564fee/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 18:38:13 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncmn55dsvbnhtchwitmtrafsvmizcxhozuco4nc3jg2ulckwj7xa._file
Verdict:
malicious
Similar samples:
045a680f5cff3aa889bd6e366a1445dc6c9f066b6601ba69f973c77cf37a5bd2
Formbook
18e7778ca7011e78b0c8bcf8e4c72d7c7ee26bbe4ea30d4003c799cb5740fa40
Formbook
2863a8690acd578ea41d8ef458f493c7bab50c34d8d6fd668f8ef56d429094de
Formbook
31ccfd52379f73629cf34d1e2864648befed8f571785811c1936919f36b807c0
Formbook
4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65
Formbook
7e7b60d769a5b99a90bd993f08a8b9175273e35d9447f91da28e61b05a746a99
Formbook
9bfd468b402317eb1dc711af78f4340d855cbf234a4736188283a6fa6f8d3cb2
Formbook
9f87aa938179953b88e6d47d4f2d07f82ec683a90ff0d77d8f50ad67ab55ad89
Formbook
eaa933474582c1c4544da0f4d1f8e53e4b54937b8fa147ab9f88af2e1371477b
Formbook
+ 732 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:rh6s loader persistence rat
Link:
https://tria.ge/reports/211124-w93xjagff5/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.barkerfamilyenterprises.com/rh6s/
Unpacked files
SH256 hash:
6898def472a85a7988f644d93880b2ab11915ceecd04ee345b49b54589564fee
MD5 hash:
8877c304368ff62890dd1658c18c5559
SHA1 hash:
14598d4ba752e16938acf3b927205cb20404a87f
Link:
https://www.unpac.me/results/f3ae9e4a-f142-4a9b-a1f0-3626e62698f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6898def472a85a7988f644d93880b2ab11915ceecd04ee345b49b54589564fee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6898def472a85a7988f644d93880b2ab11915ceecd04ee345b49b54589564fee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1813684/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209119/

Comments