MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35
SHA3-384 hash:	61cd18e4bc41d2cfe15f8696b275b0e8a8729702cd94c5a9185425ee3d488e85c7bf9e9b8a964275bcfea3346cb45fbd
SHA1 hash:	5c2872bbafea5aa5f298df9e88649448e9157061
MD5 hash:	738775afbcb59b72b1249294363e76a2
humanhash:	social-bravo-sink-north
File name:	SecuriteInfo.com.Zum.Androm.1.30395.11586
Download:	download sample
Signature	Formbook Create hunting rule
File size:	226'354 bytes
First seen:	2021-07-01 12:49:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	6144:xqjIbAHgAuM4XtaAnlf/EX1hiRBSo/z84:YvruM4XMAluOjpI4
Threatray	6'112 similar samples on MalwareBazaar
TLSH	4024124AE393CEEBCFD149B0287A52805FD442041275AF4FB7289FBDF231A61641D6B5
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

171

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Roominglistt.7z

Verdict:

No threats detected

Analysis date:

2021-07-01 11:30:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/459defe6-6d4c-489d-b8a2-978b59ca4097

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/169158/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.30395.11586.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c784e3a6-c1d4-4a2f-bee4-e92e8d27e8aa

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/810551

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-07-01 12:50:13 UTC

AV detection:

16 of 46 (34.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nxfmycmz2qjpd3e4kg5hfdvn2d5fnirg4jeg2kbqcwcfmbgwry2q._file

Verdict:

malicious

Label(s):

formbook

Formbook

36ac85986999d60ef2bcf74e50d27daa1bfbf6c4815e6fb5e5dc1547d8dcb8c9

Formbook

3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461

Formbook

5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e

Formbook

66e06710b095c687448e0b08240a99f84dfbfc24882a2c8c9f5b165f58469d8f

Formbook

744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc

Formbook

852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

Formbook

913b12686b62bfbaa6cd0169c2b37bb2d06d095335f3ac14047ec49d3a755b2d

Formbook

a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051

Formbook

dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512

Formbook

+ 6'102 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210701-5pt2baclnn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.countrykirana.com/hvc/

Unpacked files

SH256 hash:

172df166af6703fc9a46905c385c2c77595b63d229692164d0ca7be25058c497

MD5 hash:

5a35b5cb0c2b256e8601d1037471d723

SHA1 hash:

dc985d9d479cec9d9f2ad146013bc235df49546a

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/a51302f3-7971-4f9b-bf28-61db108eaa60/

Parent samples :

1e6e22400682ee9a9ec02f1742f84efd44978cb6c2d4ef685d04f650f180cfb4
6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35

SH256 hash:

47ef818469048011bdb7b569f7d81d2c7c2a0c371ce01441b7072a0ed15fd477

MD5 hash:

01fbb9c7bd621f84f3c4f21bafe8ee85

SHA1 hash:

1eaabb50a9c20afac43c4849540d6a5cb6c28504

Link:

https://www.unpac.me/results/a51302f3-7971-4f9b-bf28-61db108eaa60/

SH256 hash:

6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35

MD5 hash:

738775afbcb59b72b1249294363e76a2

SHA1 hash:

5c2872bbafea5aa5f298df9e88649448e9157061

Link:

https://www.unpac.me/results/a51302f3-7971-4f9b-bf28-61db108eaa60/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.67

Link:

https://yomi.yoroi.company/submissions/6dcacc0999d412f1ec9c51ba728eadd0fa56a226e2486d283015845604d68e35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_formbook_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169158/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample