MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dc793d16688060c0db0592784fedaac1163fcc195cd2cb461115d69d17ac3ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dc793d16688060c0db0592784fedaac1163fcc195cd2cb461115d69d17ac3ab
SHA3-384 hash: c1ff22e68b6699872d794c347bf8959b29187e600b4ff09542e41ffed5359dcc3f73caaa74976f60cdb4c4b162f453e5
SHA1 hash: f446f1470282b28d0a3c83080f5b9792713bc693
MD5 hash: f92728aa3926d53962f7511d8efd0cd5
humanhash: aspen-south-mobile-may
File name:FedEx's AWB#3366674038005.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'065'472 bytes
First seen:2022-03-21 10:19:20 UTC
Last seen:2022-03-21 10:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ecda77ba4b20deffbdfcdb24b1b9910f (3 x Formbook)
ssdeep 24576:PolcmxDQ6vSWIqAk3OOJDnVinDHCP9iWvjXf:PA2J9OpVinDiP9is
Threatray 14'295 similar samples on MalwareBazaar
TLSH T1F635AE66F3A05877C47726384D1B56A59E3ABE002D79CC8A3BF55D0C1FF86817D2A283
File icon (PE):PE icon
dhash icon 7cf4b6ae8cd0e8f0 (4 x Formbook)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/6238515db94fb38cb4c24237/reports/a67ec17e-a470-494e-bc8d-28274c216d2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7221e626-5339-45e0-8fc2-d627611d86ae
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/960615
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Yara detected Shellcode strings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593096 Sample: FedEx's AWB#3366674038005.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 10 other signatures 2->52 9 FedEx's AWB#3366674038005.exe 1 18 2->9         started        process3 dnsIp4 44 mexicogroups.com 198.38.82.90, 443, 49766, 49768 SERVERCENTRALUS United States 9->44 34 C:\Users\Public\Xbfgclu.exe, PE32 9->34 dropped 36 C:\Users\Public\ulcgfbX.url, MS 9->36 dropped 38 C:\Users\Public\Xbfgclu.exe:Zone.Identifier, ASCII 9->38 dropped 58 Injects a PE file into a foreign processes 9->58 14 FedEx's AWB#3366674038005.exe 9->14         started        file5 signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 17 explorer.exe 4 4 14->17 injected process9 process10 19 Xbfgclu.exe 13 17->19         started        23 Xbfgclu.exe 15 17->23         started        25 cmmon32.exe 17->25         started        27 2 other processes 17->27 dnsIp11 40 mexicogroups.com 19->40 54 Tries to detect virtualization through RDTSC time measurements 19->54 56 Injects a PE file into a foreign processes 19->56 29 Xbfgclu.exe 19->29         started        42 mexicogroups.com 23->42 32 Xbfgclu.exe 23->32         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 32->60 62 Maps a DLL or memory area into another process 32->62 64 Sample uses process hollowing technique 32->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dc793d16688060c0db0592784fedaac1163fcc195cd2cb461115d69d17ac3ab/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-03-21 04:46:19 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxdzhulgradaydnqletyj7w2vqiwh7gbsxgszndbcfowtul2yovq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b931e14bdbf51c88c98a13c7f934dd3c9e8e1b8583d8d95129e1a0b3a03eece
Formbook
3d5d161635b1d409b28564bb95c9006687b720caa5bfb6ed8679b87e889baf3a
Formbook
60f3b28c265ee86ff2fda42a3147348bf53971060d9b97e2cd631a32f80ee0cd
Formbook
641726e045898d15c39c11559c01e297aff22924a4cd3543e0ce2e3cdc3c2277
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
a6cea446b135529f57315da655e5329e267f80a67940edbf949196536b212c5b
Formbook
a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
Formbook
c1c5eecc6b6b1138ad43a1b2793d3872dca1c6ab4ec53d34e354e49e35d045d0
Formbook
f80a58564f070acf295b2a76ce6331402b3e9e71eed07cf3e017376e1bdb0f36
Formbook
f917034d08d7cc2d2af50ff28d1b52944691fba6bb96965e18948cf7473bbd80
Formbook
+ 14'285 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:uc04 persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220321-mc49nabefn/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Unpacked files
SH256 hash:
6dc793d16688060c0db0592784fedaac1163fcc195cd2cb461115d69d17ac3ab
MD5 hash:
f92728aa3926d53962f7511d8efd0cd5
SHA1 hash:
f446f1470282b28d0a3c83080f5b9792713bc693
Link:
https://www.unpac.me/results/36c9c901-77ba-4b19-84e7-cbc29a96e332/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6dc793d16688/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dc793d16688060c0db0592784fedaac1163fcc195cd2cb461115d69d17ac3ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 6dc793d16688060c0db0592784fedaac1163fcc195cd2cb461115d69d17ac3ab

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments