MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3
SHA3-384 hash: b36183840cc845fa101e587ff7ae757017aa95d52c15cd310b9156cc50935d1fb58f222a755375cc36af83643c011583
SHA1 hash: e689e98a99d1d2a6e9a67a6adbd7fba737ed2d6b
MD5 hash: ab87bb7551411aec9c0b27cb4dcca79e
humanhash: avocado-hot-early-wisconsin
File name:inz.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:421'376 bytes
First seen:2021-01-12 22:45:10 UTC
Last seen:2021-01-13 01:01:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d78c203697582a336c7a0a9d7775a1b (5 x Formbook, 1 x RemcosRAT, 1 x AgentTesla)
ssdeep 6144:t/hXM6TGfaXeRGjwj9qsgEtBI/IJQSv38gRxZcE7vnpAWYRlmHXL8UjPS0h7m5pg:LXMXFUsgEz3KEuXmHXjTSeIbewGZo7Sj
Threatray 241 similar samples on MalwareBazaar
TLSH EA946C26B788F6AAE18100B47109FFB650613835692EC843F7C17B5B78721EE9A05F5F
Reporter Racco42
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5207406442479616.zip
Verdict:
Suspicious activity
Analysis date:
2021-01-08 12:52:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b309efa1-f434-4fe3-9097-41e1ae63712c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111641/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57427.30651.13701.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/579618
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338853 Sample: inz.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 80 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 2 other signatures 2->33 8 inz.exe 1 2->8         started        process3 process4 10 inz.exe 1 8->10         started        13 conhost.exe 8->13         started        15 inz.exe 8->15         started        signatures5 35 Maps a DLL or memory area into another process 10->35 17 inz.exe 10->17         started        process6 process7 19 WerFault.exe 23 9 17->19         started        dnsIp8 25 192.168.2.1 unknown unknown 19->25 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->23 dropped file9
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-05 07:11:31 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
1eb8543fda2c6d7e0bd287d692f8e63743729278f4f08b66cd00d987a68c4b7a
Formbook
20b2ef9bcd6d0a405c7c3e1f7fc2fe01851838451528faaeb22bb9694435002f
Formbook
5359d2f2d3a0cfec993a2d15a30db38289a02d3fda4acb8843750ec50ed344e8
Formbook
53878a7b306a51e03f35297ea81e42c7aa079665928f8ca0d1f1732c0da82ffe
Formbook
73872fa96dc607365e450f7dae21085f9091d511fb2a495ae55b2a3e812d9a34
Formbook
816f26e5b5de1be644fff419718bc3e1b8410a4a9a9f405d8db814e7758608d9
Formbook
a6c4cf62dc3f99465080ac5cd48a2f2f1423bb90d3d797ed27905225438d4f35
Formbook
b67361c9d7c2bcbe7e94b698f4d5abd1e6ffd96429d2c66dcfd92a573303e4f0
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
f4c9a59f4506a95b56b29a2b7046cda3e59563399fddc4546b9dff35c4f4efe7
Formbook
+ 231 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210112-37w4dvae76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nationshiphop.com/hko6/
Unpacked files
SH256 hash:
6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3
MD5 hash:
ab87bb7551411aec9c0b27cb4dcca79e
SHA1 hash:
e689e98a99d1d2a6e9a67a6adbd7fba737ed2d6b
Link:
https://www.unpac.me/results/c222bfa4-65ee-49f6-a457-42e9c3ca8676/
SH256 hash:
0e42bcab0a57e397c71f229d32f9408c22bdd22ec95142250f1eaeef1f7c0d11
MD5 hash:
9a1b5b5d3f244f5ff2089c39394ab4b1
SHA1 hash:
fc02eb679825cc74c063d7fc4eaad3e79152fb3d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c222bfa4-65ee-49f6-a457-42e9c3ca8676/
SH256 hash:
263a48f576b7798c89574796a7257c441ce60783c93023af8aff28088e0b47a0
MD5 hash:
594b2ddb2e6517ba02461b7c1673ebc3
SHA1 hash:
e44bd722d458fa1a32c97529cb4633987e220581
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c222bfa4-65ee-49f6-a457-42e9c3ca8676/
Parent samples :
16a895e73a1fa9260fdc42786d134cadbfd8936365e2f550322f45f08307186e
b79273545da050a53a38855e56afc06bce2cefe78fad1ccb36a8616b2950b1a0
3964255c6edcc775158338c29c12a374eef6b3bad5d1b05641a7c92efb8873de
74fe23fdb7b12b785e1e6db24dba0536deec51ddac1edbd53a0211b68672628b
be170809e4230261e4a1be5ed4a3fd90108240f4f6c3a3151e2b14bfdeac89f6
95432d34acb3db62d167b6ca78cf9e1f4508e692f1f4f124278dc07c552f4445
6c3fe63b8dd66c9dbbc62c341fde2ad3524b944f45734cb56b2f16b7638a62a7
bab1afa3cdf4c5c73be8b2890a43ac43ed1b4f3d14d1726323dc1c38a572f335
801e939e0d3085f2381ef566d8dc90653eef76be368a865cb249b0eb2bb1b869
2d5d89747431e9003471e77e757e6c2d3310cbcac7451c1bb8389d0744543e6f
1eb8543fda2c6d7e0bd287d692f8e63743729278f4f08b66cd00d987a68c4b7a
e972280a082b78255426343527eb04b724122122cbea086ee5c55958d90ba138
9161b2162e26e06de573d2314ef3d6cec389bfc240c33a9bce7f5b1e13c7b703
ee8ac19b40be65306741e69e41cc3768e469fedd9a55b8a1ff3a24723f6fd6da
6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3
ca035ce2804aff96e07142ecb344766e2fca568af3b5b01f60d7886225d7cd49
54855cba7fad3ca4afa7a47824594cf8dc86ea733e427a5cbddda9c29c88feb0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111641/

Comments