MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42
SHA3-384 hash: 88e37560b66f4408ed4671232feb52cea4613aff6fc965281086d64f6bfedfc5b22611a1e25d9bb9791adbc3ee4c8b09
SHA1 hash: 2b8d72adb220e7813270235128b62c5f13a9115a
MD5 hash: 0094c25b92c0ca3b6b5c1742e2e6a8b7
humanhash: magazine-arizona-lithium-cup
File name:Notificação de envio FedEx 815158433805.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:342'235 bytes
First seen:2022-03-02 17:17:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGij9hNlAkW9pdRe3Kvwp5wzmo7k0GY8XLnd19h0rZKCRs7Mqd8Sytdg:L47Je3P883Y8bnVh0rZKCOryjg
Threatray 11'200 similar samples on MalwareBazaar
TLSH T15074121578E1A5A7CFC5033646FB7BB7F37B524743662D9F13701EBA2922292A0090F9
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FedEx FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Notificação de envio FedEx 815158433805.iso
Verdict:
Malicious activity
Analysis date:
2022-03-02 10:27:23 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/c7dd9190-e60e-469b-9874-3f082955ea81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246428/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.1969.5869.18459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe nemesis overlay packed shell32.dll virus
Link:
https://www.filescan.io/uploads/621fa6d2b94fb38cb43a4c7a/reports/119a190a-6809-4b92-a2d9-04d0f53649f4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afd65dd8-51e5-4423-bab5-ee71e058955f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949335
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 581812 Sample: Notifica#U00e7#U00e3o de en... Startdate: 02/03/2022 Architecture: WINDOWS Score: 100 34 www.theresnosomedayinbadass.com 2->34 36 www.digiblogofficial.com 2->36 38 2 other IPs or domains 2->38 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Found malware configuration 2->58 60 5 other signatures 2->60 12 Notifica#U00e7#U00e3o de envio FedEx 815158433805.exe 18 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\hwthulvd.exe, PE32 12->32 dropped 15 hwthulvd.exe 12->15         started        process6 signatures7 72 Multi AV Scanner detection for dropped file 15->72 74 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->74 76 Tries to detect virtualization through RDTSC time measurements 15->76 78 Injects a PE file into a foreign processes 15->78 18 hwthulvd.exe 15->18         started        process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 50 Sample uses process hollowing technique 18->50 52 Queues an APC in another process (thread injection) 18->52 21 explorer.exe 18->21 injected process10 dnsIp11 40 www.frugaimoms.quest 37.123.118.150, 49794, 80 UK2NET-ASGB United Kingdom 21->40 42 www.gender-smart.com 74.208.236.77, 49783, 80 ONEANDONE-ASBrauerstrasse48DE United States 21->42 44 5 other IPs or domains 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 64 Performs DNS queries to domains with low reputation 21->64 25 mstsc.exe 21->25         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 25->66 68 Maps a DLL or memory area into another process 25->68 70 Tries to detect virtualization through RDTSC time measurements 25->70 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 17:18:17 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n72guffzxhxhjh3noizenl5b6lec5bkdhxt4eq6zwzqen6rf7jba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0432de0ca2a033d243ff9e4f2589955678620ac4be75b25f3f632d43bad3fa2a
Formbook
16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8
Formbook
6849e65e9ac20880fa99583b202ae710e0a3885cd72692a0c1b4d72aae109adf
Formbook
8230050be18082cbd46028e18bd49362c630c8c63dfc8b6875b605f250fadda3
Formbook
831f79faeff5bd6704c5aca840f3067b4762e5b6e6228b04221ccf351b146da7
Formbook
dac29469098164b1f450c5ad162b0a33e5e285ff872b83109771bb8ee8c4c879
Formbook
+ 11'190 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:nazb loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220302-vvcw5afgb9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Formbook
Suspicious use of NtCreateProcessExOtherParentProcess
Xloader
Unpacked files
SH256 hash:
46cefb82144befecad954666b8dad593bc57c84009ce8642f7edb15a36436803
MD5 hash:
730577b496a5d7f00958c13e92143cea
SHA1 hash:
70ac754c76726caabf442ffd1f4ee874388ed028
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e14361c2-a286-4f37-b50a-91ff95e6bb1b/
Parent samples :
5cfd3b8ba7a3da6c08222b824d569148499ebfd98ae94b991157bda8f78ab515
16c6b4c1d616cf406d917ba4bdab7c23fba2752bbe308d0f241eb1f1c57927b8
0845f5cac8b3d88214e3ce7de031261deebad1751e592d7221c65b7724c56f2b
6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42
SH256 hash:
44bb83e3841943966e382cbbd0cfdea1564a896ea07667aab35931f689314b50
MD5 hash:
2cb3556c184742b89802b4e37f7e6e09
SHA1 hash:
aaf57cfd423d98049cdb7feaa18a28ce65acd818
Link:
https://www.unpac.me/results/e14361c2-a286-4f37-b50a-91ff95e6bb1b/
SH256 hash:
6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42
MD5 hash:
0094c25b92c0ca3b6b5c1742e2e6a8b7
SHA1 hash:
2b8d72adb220e7813270235128b62c5f13a9115a
Link:
https://www.unpac.me/results/e14361c2-a286-4f37-b50a-91ff95e6bb1b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6ff46a14b9b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246428/

Comments