MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f
SHA3-384 hash: a364389b58221456d96e3410987a480cf0ca5127ccc5150499cc11a517aa6348cd7964eda6984f67a65bfc9d64244de9
SHA1 hash: d68a1492e6af0dc8c15d8ffacd911201885297a1
MD5 hash: 828ed1d5f7159fe8b13764873bd7236e
humanhash: oven-october-spring-texas
File name:cap.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:749'568 bytes
First seen:2020-12-14 14:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c3d6710a07e2881790555234ea14179a (8 x ModiLoader, 1 x Formbook, 1 x ISRStealer)
ssdeep 12288:s4Per7j2cD2/gERzL6XeF03yKnkn3Hp2EAIFOaYN:sVKc63GkSnioEvO1
Threatray 3'115 similar samples on MalwareBazaar
TLSH 85F49F53B2904437D06716799C1B97A8AD26BF203E349D8A6BF93D0C4F3A391782A1D7
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cap.exe
Verdict:
Malicious activity
Analysis date:
2020-12-14 14:29:49 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/03d54833-2832-4153-ac80-8ecf29498407

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107970/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Strictor.253009.11269.9482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/562219
Signature
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 330200 Sample: cap.exe Startdate: 14/12/2020 Architecture: WINDOWS Score: 96 25 www.manorcell.com 2->25 27 parking.namesilo.com 2->27 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 51 Modifies the prolog of user mode functions (user mode inline hooks) 2->51 10 cap.exe 14 2->10         started        signatures3 process4 dnsIp5 29 airseaalliance.com 198.136.51.123, 49718, 80 DIMENOCUS United States 10->29 31 discord.com 162.159.135.232, 443, 49717 CLOUDFLARENETUS United States 10->31 53 Modifies the context of a thread in another process (thread injection) 10->53 55 Maps a DLL or memory area into another process 10->55 57 Sample uses process hollowing technique 10->57 59 2 other signatures 10->59 14 explorer.exe 10->14 injected signatures6 process7 dnsIp8 33 www.19studies.com 81.17.18.197, 49737, 80 PLI-ASCH Switzerland 14->33 35 www.zennode059s.ovh 213.186.33.5, 49736, 80 OVHFR France 14->35 37 5 other IPs or domains 14->37 61 System process connects to network (likely due to code injection or exploit) 14->61 18 explorer.exe 14->18         started        signatures9 process10 signatures11 39 Modifies the context of a thread in another process (thread injection) 18->39 41 Maps a DLL or memory area into another process 18->41 43 Tries to detect virtualization through RDTSC time measurements 18->43 21 cmd.exe 1 18->21         started        process12 process13 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-14 14:24:02 UTC
File Type:
PE (Exe)
Extracted files:
99
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rc3hpi5qwvjbifqq3i5vxgtt6qhhawqwz3ecdrz6uanfl67yeaxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06e4ec7e065c7765f452e3516a985f3481f020aaddeb41e6f28bf2a33bc73c9d
Formbook
08c0c3cf921d5b4af4d261668a9c0ca41acb67610290c7f75ce4537191a9214f
Formbook
1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795
Formbook
3176528c561817095af859f4809a2091f8557f93c27a0fe32ee71c8fc3b71f33
Formbook
35b67e1c875487d5d0f15b03a1fd37cfe1396d13ff47440ef7f18402f1b7131e
Formbook
4cb957166b87af52d625fe0ae926e024db9cb6722d1cb5ade20bbf1b8ddaac34
Formbook
4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e
Formbook
73c740cf8efc312c3fed42aceee4f4513b8ce620aaf31793676f8de2810fdadb
Formbook
894f564c6c023c4baf66d72f13578bbfcd992b21f42f3f732887933d438ddbb7
Formbook
8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059
Formbook
+ 3'105 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201214-d46mxyh8lj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.themagiczones.com/llp/
Unpacked files
SH256 hash:
88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f
MD5 hash:
828ed1d5f7159fe8b13764873bd7236e
SHA1 hash:
d68a1492e6af0dc8c15d8ffacd911201885297a1
Link:
https://www.unpac.me/results/d6e611aa-4ed2-4ee3-83e4-72798d86ee6e/
SH256 hash:
3fa982559d237206026af68066ddbb004ed0b16a6b81c30768cb8503cb5cf4eb
MD5 hash:
528e5700363cce14403b7dbeb6f9d4d7
SHA1 hash:
c390faa1673108f4f2a729ac224fb67a6cbad1a5
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/d6e611aa-4ed2-4ee3-83e4-72798d86ee6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Description:targets loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/918089/
Cape
Cape
https://www.capesandbox.com/analysis/107970/

Comments