MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
SHA3-384 hash: 2795e708a59d062023c6487f114f4b4db36917b3d9a0676eedb51371f3df0fc568ef831c279a95808b120710bf750ef3
SHA1 hash: 8b9bdc7f22d7e978bcea377926c67655ed5c3c8f
MD5 hash: 276b0170d8035edd89cb993a275e776c
humanhash: nuts-fix-oscar-nineteen
File name:276b0170d8035edd89cb993a275e776c.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'383'936 bytes
First seen:2021-08-19 08:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:eC71ajs89tvKOsjrh6CZYZJrmMnfk/iQ2+S0d:eMajsa9KDzZwJ9fk/Pj
Threatray 8'090 similar samples on MalwareBazaar
TLSH T1ED556B3D29B82627C1BAD775CBE19817F19498AF7511EDA9A8D343660303B8375C323E
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
276b0170d8035edd89cb993a275e776c.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 08:36:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5a34dd4c-a41b-4563-bd9f-2f32568547e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180598/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a4ea0f7-ae2b-4cd2-bc27-598b0305a992
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835632
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 468063 Sample: UgrmkcwibV.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 6 other signatures 2->44 9 UgrmkcwibV.exe 3 2->9         started        process3 file4 30 C:\Users\user\AppData\...\UgrmkcwibV.exe.log, ASCII 9->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 9->54 13 UgrmkcwibV.exe 9->13         started        16 UgrmkcwibV.exe 9->16         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 18 wlanext.exe 13->18         started        21 explorer.exe 13->21 injected process8 dnsIp9 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 50 Tries to detect virtualization through RDTSC time measurements 18->50 24 cmd.exe 1 18->24         started        32 www.orders-cialis.info 88.214.207.96, 49738, 80 NATCOWEBUS United Kingdom 21->32 34 www.ohio.works 21->34 36 ohio.works 34.102.136.180, 49739, 80 GOOGLEUS United States 21->36 52 System process connects to network (likely due to code injection or exploit) 21->52 26 autoconv.exe 21->26         started        signatures10 process11 process12 28 conhost.exe 24->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 05:42:21 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ns6ibgdbjqeuzlzuudvokjbpo6xflzx7o4me62s3ocdqg2mmzqna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ea81e325568a6d5c8ecde8ce0198dabe9553e237ef46b328240d7f51231d3bb
Formbook
34ff91c0be47c6edae673081f4814ca9b7432d6db4975ab66a911f36fe481d70
Formbook
35a776da3e6d2d8bcd69a7427ab25846c233403372bf3ecb6055c252ae696766
Formbook
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
Formbook
7240d57a675a066d7dcb095a520ec2b86c2460080ccfbc759a9d404dec7d3817
Formbook
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
Formbook
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
Formbook
+ 8'080 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mxwf rat spyware stealer trojan
Link:
https://tria.ge/reports/210819-4gxklaq2te/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zahnimplantatangebotede.com/mxwf/
Unpacked files
SH256 hash:
58a8d91b66a32898bb3b9d29ad32ac91916d3c6ef814bf364c728fa70d068385
MD5 hash:
d4df5abbec423b07def7ab5d036f5dbe
SHA1 hash:
f082f1451a77d793ec3607fe801e4f67086c2977
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bab57c84-bb84-4ae7-a7ee-3b5f844a06e2/
Parent samples :
34ff91c0be47c6edae673081f4814ca9b7432d6db4975ab66a911f36fe481d70
7240d57a675a066d7dcb095a520ec2b86c2460080ccfbc759a9d404dec7d3817
0ea81e325568a6d5c8ecde8ce0198dabe9553e237ef46b328240d7f51231d3bb
878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e
35a776da3e6d2d8bcd69a7427ab25846c233403372bf3ecb6055c252ae696766
cc9460866fbf6ae7430f759bc11a90a3536a0032319f20757421a2e08f60faba
73c2ee6d691663df62c983da3572abc381a0940f2cbdfb2ed8d48cb225d7b5f9
39e1002eaf485405155f98f77b331263ab1e6fea26623dd83029f9bcc58d3c9f
6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
3f8cd22d1b3b93b4884c70e6a9c032d2d7e2bb341db8ea85d4c86b1d0e5cfaf9
0aa68b819455d1810d114c502d6a221d0da9320d506c31b9e83b7a488f46a954
c27adae0af4b3c5c71d33f4707fc1e0c51cd9ed61f88169014a6022fabc87dc8
70d759be9f935d289ee1627038a118e9493d45ecebfcd477f0b43a8253afffb4
df19a60152fff0338d5ee7d2b969a4dbded6d3f2752ae246090e7e8f79c43815
11dde0ea97b2f63edbd9d6b42af105bff7fad9225396219a6de96cb8d51125d7
924f1664b6169e8237010c409e5f7e492f406154939718ce7a6ebf24cb707e99
a03553c928c61ff148b7440e8dab61dc7eac554f576a35d9418f438439cc18d7
bd7323675e66df34d833d17897c6f98e9848dd062be6f299f482c09a90de4255
759cc43ff9429a9b6e48c20708461b7af39a106efbcb98d541c01d6c44ea9b3f
11c58c805f392c745057848c834966d60da68935cc077206951dbde69585ac6c
c32e7fab7c0e4d5aed13b94b07fcbf1f46106000bb2388301a0a2bcbc920c757
fcd82e581d68847a1f240bcf0123de948a8bde781a05fbbb805d0033bf91ff43
7287808b83f962ac07183a16ed4da5748e84b51946905ce0156c3b3b93ac9240
3b012c89bb2f6a513be0335d94b0b7f8517edeb70ba37b559a94b0993df4ad80
e55a6e9d04d90fe3e41ce6b936bc7642dee3e7a804abfc7527ff74ee3062a1ea
41c5b0b2b9afd1f7dc207176e2a200042660dcdb02c745cc750e13f1d3ad7b01
51d534b716e35b643ac2a4aa73effe9607abfc61a36b7b4a423c9383002b755e
ee0d275c50b493cc73f73d19665d9b126e038a7ea1307043eb71442280f6bd7d
2486c4ebc2834ad7e9517107e7d7813fa1b84d5b2df4f928a0144b81d1273e8c
c4b1789371d832969f812bd0a577e380cdac00db6775d7fc251adf8d92c15d74
3cf411dfe4bd60c8bb4c7e0c77d0418c885e65570c7a5b8458d60cdf06423960
81ca6e69c74078c286b640b713714f3c8dd178bf231736919a01d653422fa5b5
0c20d42cbdc31d5b40846425b381c84761898abe3659ba221d2b8e9e213964a2
f0b80a2a51f2e8fa5ceb014b82d25cb1fbf586c85bdd35bf0b0ab165aa7cbc3a
221e9e3719749c7017ad2100a3d48e0ddb47824e02627fe859706fb591332849
eb1a7fdf49ef074c93385c99303fb92155f677f17c17dff1f1ad5967700d6410
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/bab57c84-bb84-4ae7-a7ee-3b5f844a06e2/
SH256 hash:
2418538ffa582948e5d53cf800d1955cb00c63f1be3157e0c091e7dd739ed2b9
MD5 hash:
bad81f7cb0c0f71900d631976060e63d
SHA1 hash:
6a172087d7d29efbdde31841bd6408f638d4abdf
Link:
https://www.unpac.me/results/bab57c84-bb84-4ae7-a7ee-3b5f844a06e2/
SH256 hash:
6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a
MD5 hash:
276b0170d8035edd89cb993a275e776c
SHA1 hash:
8b9bdc7f22d7e978bcea377926c67655ed5c3c8f
Link:
https://www.unpac.me/results/bab57c84-bb84-4ae7-a7ee-3b5f844a06e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 6cbc8098614c094caf34a0eae5242f77ae55e6ff77184f6a5b708703698ccc1a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1538943/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180598/

Comments