MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 760b2466db1fdc2d2c1651a730cfd6c14bfbcbd8f69eeb56ec8426d46784f4b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 760b2466db1fdc2d2c1651a730cfd6c14bfbcbd8f69eeb56ec8426d46784f4b3
SHA3-384 hash: 815d34d70adbd29d71ce575a8188ebc9b2faa4c528c85fb571eb200fec17bc21ad127a410dd88a574278ca17f566cbf6
SHA1 hash: de043c2903f10c128475489dc79567de5660a4b2
MD5 hash: 1b16ac0e8f82a21f04fd43f2501c81f8
humanhash: artist-ceiling-lamp-emma
File name:1b16ac0e8f82a21f04fd43f2501c81f8
Download: download sample
Signature Formbook
Create hunting rule
File size:769'536 bytes
First seen:2021-07-07 19:40:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 76139ff953899a69c3980d2d044e4370 (1 x RemcosRAT, 1 x Formbook)
ssdeep 12288:FqXq5p/SAz8XgXuv4SOkMn1uFW3R1MDEZUQ4NZcxv3TWjSiuPBR5lpbTYwMvF:Fn5dSAz8q2GkM8WqUNNTGSBRG
Threatray 5'745 similar samples on MalwareBazaar
TLSH T1F6F47D23F5D25437C46219784C0BE6DEA96BBE002D2465C7ABF53E9E8F7928138391C7
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GLC_Payments_Form.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-07 13:28:10 UTC
Tags:
exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/25192e29-6dae-4a2c-8a40-9a8e1f1c439b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170304/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/20a87782-0450-41e2-a030-43a6772270e2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813134
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445545 Sample: wtbzVtXYWe Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 58 www.paypalticket5396173.info 2->58 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 6 other signatures 2->100 11 wtbzVtXYWe.exe 1 24 2->11         started        signatures3 process4 dnsIp5 78 onedrive.live.com 11->78 80 db-files.fe.1drv.com 11->80 82 6o1lrg.db.files.1drv.com 11->82 56 C:\Users\Public\Libraries\...\Kutsatp.exe, PE32 11->56 dropped 124 Writes to foreign memory regions 11->124 126 Allocates memory in foreign processes 11->126 128 Creates a thread in another existing process (thread injection) 11->128 130 Injects a PE file into a foreign processes 11->130 16 secinit.exe 11->16         started        19 cmd.exe 1 11->19         started        21 cmd.exe 1 11->21         started        file6 signatures7 process8 signatures9 84 Modifies the context of a thread in another process (thread injection) 16->84 86 Maps a DLL or memory area into another process 16->86 88 Sample uses process hollowing technique 16->88 90 2 other signatures 16->90 23 explorer.exe 4 16->23 injected 27 reg.exe 1 19->27         started        29 conhost.exe 19->29         started        31 cmd.exe 1 21->31         started        33 conhost.exe 21->33         started        process10 dnsIp11 72 www.microwgreens.com 78.135.107.25, 49738, 80 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 23->72 74 www.hangrylocal.com 88.214.207.96, 49736, 80 NATCOWEBUS United Kingdom 23->74 76 2 other IPs or domains 23->76 120 System process connects to network (likely due to code injection or exploit) 23->120 122 Uses netstat to query active network connections and open ports 23->122 35 Kutsatp.exe 16 23->35         started        39 Kutsatp.exe 16 23->39         started        41 NETSTAT.EXE 23->41         started        43 conhost.exe 27->43         started        45 conhost.exe 31->45         started        signatures12 process13 dnsIp14 60 onedrive.live.com 35->60 62 db-files.fe.1drv.com 35->62 64 6o1lrg.db.files.1drv.com 35->64 102 Multi AV Scanner detection for dropped file 35->102 104 Machine Learning detection for dropped file 35->104 106 Writes to foreign memory regions 35->106 47 ieinstal.exe 35->47         started        66 192.168.2.1 unknown unknown 39->66 68 onedrive.live.com 39->68 70 2 other IPs or domains 39->70 108 Allocates memory in foreign processes 39->108 110 Creates a thread in another existing process (thread injection) 39->110 112 Injects a PE file into a foreign processes 39->112 49 mobsync.exe 39->49         started        114 Modifies the context of a thread in another process (thread injection) 41->114 116 Maps a DLL or memory area into another process 41->116 118 Tries to detect virtualization through RDTSC time measurements 41->118 52 cmd.exe 1 41->52         started        signatures15 process16 signatures17 92 Tries to detect virtualization through RDTSC time measurements 49->92 54 conhost.exe 52->54         started        process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/760b2466db1fdc2d2c1651a730cfd6c14bfbcbd8f69eeb56ec8426d46784f4b3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 14:44:08 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oyfsizw3d7oc2lawkgttbt6wyff7xs6y62powvxmqqtniz4e6szq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74
Formbook
0da92ee5ab7eeb708288a5738697bf61857dfdc9ab3115dbb9e94392ea786696
Formbook
266321f3918aa86a1b7915453a294ca5c36bf2072647b549cdd35f526b3375a3
Formbook
3979a76f278cc417a50932f048516b0168237b6b4ca108ef779fec69b1bc0c0d
Formbook
660b2eb5749963f118e49c2f7f3b253b1563a9f99063ba29122f2b6bb72cb6fc
Formbook
672795699cca5d2353cd8a39ea7d1c0f2a779b3c943a7c3630884b2141a82214
Formbook
8395de2fb2940f93de9e2058bae551d3631bb5e93b23b396c5042532f0d2de58
Formbook
8855c73a66320b1d62c22f7af62feb301d13e4b68f4edfba64bf47473ad58c4a
Formbook
b120686883591f5a09157eb0fbfb502d4ee834ca717f9b77ab6bd9d0f85eb353
Formbook
b9cf4ce7fc7e9291433169038a63f0f4e3d36fb1826cda150ea52b2257ac7c12
Formbook
+ 5'735 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader loader persistence rat trojan
Link:
https://tria.ge/reports/210707-5646sbarr2/
Behaviour
Gathers network information
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Adds policy Run key to start application
Xloader Payload
ModiLoader, DBatLoader
Xloader
Malware Config
C2 Extraction:
http://www.mobiessence.com/6mam/
Unpacked files
SH256 hash:
1fd7371f99d6d6c22279f208d56c7030cc4a7807c44eca52aceb56d7f67ce794
MD5 hash:
135e22fb2a688966b3e75e16441f9d18
SHA1 hash:
5364d1af468956d5b0341c5f43aaf674679f7a32
Link:
https://www.unpac.me/results/bd2d6eec-38a9-4259-a32c-ce5f40086e2e/
SH256 hash:
760b2466db1fdc2d2c1651a730cfd6c14bfbcbd8f69eeb56ec8426d46784f4b3
MD5 hash:
1b16ac0e8f82a21f04fd43f2501c81f8
SHA1 hash:
de043c2903f10c128475489dc79567de5660a4b2
Link:
https://www.unpac.me/results/bd2d6eec-38a9-4259-a32c-ce5f40086e2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/760b2466db1fdc2d2c1651a730cfd6c14bfbcbd8f69eeb56ec8426d46784f4b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 760b2466db1fdc2d2c1651a730cfd6c14bfbcbd8f69eeb56ec8426d46784f4b3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1434062/
Cape
Cape
https://www.capesandbox.com/analysis/170304/

Comments


Avatar
zbet commented on 2021-07-07 19:40:37 UTC

url : hxxp://chyler-leigh.org/a1/p7.exe