MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a
SHA3-384 hash: bd12b96c057fc0721c3f2e4a857869128c6bb82838ab7bc3f4b0ed574662fb2ab595ff1dc4ba2d71df26f7a36b3ce26c
SHA1 hash: e9361f22d9b0a2aba641b9cedbaa203ac32e30c6
MD5 hash: f5e7bf270b60cd8a71fc8be79ea7aae4
humanhash: dakota-alpha-coffee-wisconsin
File name:CTM ARRANGEMENT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:305'632 bytes
First seen:2021-08-02 05:27:58 UTC
Last seen:2021-08-03 16:25:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 589aee860f84814af33b4e1068b97d01 (5 x Formbook)
ssdeep 6144:jCeJW1DhGOWLpoLuVLhiade0Huq8PGMZW/d+2t7i+:/WJhGOWLpogLAa40+PGMZHe7l
Threatray 7'212 similar samples on MalwareBazaar
TLSH T16354F151B9C1D875D0B3883604B89EA19D3DFE910F225AEB2698472F1F714D1EA36C2B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
809
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5e7bf270b60cd8a71fc8be79ea7aae4
Verdict:
Suspicious activity
Analysis date:
2021-08-02 00:51:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec37f712-9619-411f-88a3-0cfb067e45d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175651/
Detection(s):
SecuriteInfo.com.Generic.Cryptor.X.A0657D52.28814.8459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a96e67b-c251-4730-9193-aaeaf266b816
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825314
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457768 Sample: CTM ARRANGEMENT.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 36 www.meridiancpas.com 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 5 other signatures 2->52 10 CTM ARRANGEMENT.exe 2->10         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 10->54 13 CTM ARRANGEMENT.exe 10->13         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 16 explorer.exe 12 13->16         started        20 explorer.exe 13->20 injected process8 dnsIp9 28 www.jcuiovpoizelrkjlkwcpopoisq.info 16->28 38 System process connects to network (likely due to code injection or exploit) 16->38 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Tries to detect virtualization through RDTSC time measurements 16->44 22 cmd.exe 1 16->22         started        30 jcuiovpoizelrkjlkwcpopoisq.info 176.223.131.225, 80 RACKRAYUABRakrejusLT Lithuania 20->30 32 www.ggfbank.com 64.190.62.111, 49771, 80 NBS11696US United States 20->32 34 8 other IPs or domains 20->34 24 autoconv.exe 20->24         started        signatures10 process11 process12 26 conhost.exe 22->26         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a/
Threat name:
Win32.Ransomware.Cryptor
Create hunting rule
Status:
Malicious
First seen:
2021-08-02 00:50:01 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcuyf7lst6dburbzuwpggkt5o3vqgomryq32enulykudjbz7d6fa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
94b5ba8b9cf0c9b6d3e790aadc37b8afb3099af0d151761d5c7196dd6fb81539
Formbook
abb1db77386f0eb3cd2c68603ee8817d6d1015287422182845345dad70503564
Formbook
b840f470d0cb4edaa85663b15f539593e3c31d81cec9e9ed1bb1c2539fc8d20c
Formbook
bd6055810a703f4f0caec388c7cce89661ee9451179dc3abe6261480bda4105e
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
Formbook
+ 7'202 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210802-ccg2nn1nnj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.hornti.com/pagi/
Unpacked files
SH256 hash:
b6458980293459b838ac1cc47f162c994df08b2a7406b6cb2789d4dd0bb8eac5
MD5 hash:
4fb89e5b31275ce66d35f82045a72e56
SHA1 hash:
d1b2b4d03cebda1201692a6ef16b79a6162629da
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/19556d34-2c48-4c19-82b8-be2ea056d67b/
Parent samples :
88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a
355dd96121c1930f9c9c0f94b6474d5cbeb3bcfd6a7c51a043674cc79a26c891
SH256 hash:
88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a
MD5 hash:
f5e7bf270b60cd8a71fc8be79ea7aae4
SHA1 hash:
e9361f22d9b0a2aba641b9cedbaa203ac32e30c6
Link:
https://www.unpac.me/results/19556d34-2c48-4c19-82b8-be2ea056d67b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 88a982fd729f861a4439a59e632a7d76eb033991c437a2368bc2a834873f1f8a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/175651/

Comments