MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129
SHA3-384 hash: 99cf703a946aa39506856e9e1eb9ac6ac04e5f877873aa478e8e3e7bdf7a088e3ae8ed8fcab16aa51b140e8adfd6aa2b
SHA1 hash: edaaf0a471315319396afcc4dc14baf5856d7a3d
MD5 hash: 5813409d72e5b6ac2ec5caff138e2abd
humanhash: high-nebraska-edward-arizona
File name:inchna.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:503'221 bytes
First seen:2022-02-11 12:10:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 12288:g+lG51wa/EGgN33+Rd3d8xQONreISJ5Shdv5YnIO2M:h850XJ+Rv8jrc8hJ5q/
Threatray 13'241 similar samples on MalwareBazaar
TLSH T13BB41255BA88CC23EA11137448A1EB799675EF44362A47036FE93EBF7E376C26CD4081
File icon (PE):PE icon
dhash icon 70d2b1b178f4f0d0 (1 x Formbook)
Reporter TeamDreier
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/240921/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6206525b54047500bb403048/reports/c49785f8-62a7-4630-b5ac-b74a18484054/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e923372a-500c-4306-b121-9155386e1c2e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/938272
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 570746 Sample: inchna.exe Startdate: 11/02/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 2 other signatures 2->50 11 inchna.exe 19 2->11         started        process3 file4 34 C:\Users\user\AppData\Local\...\wrgummncf.exe, PE32 11->34 dropped 14 wrgummncf.exe 11->14         started        process5 signatures6 60 Multi AV Scanner detection for dropped file 14->60 62 Tries to detect virtualization through RDTSC time measurements 14->62 17 wrgummncf.exe 14->17         started        process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Sample uses process hollowing technique 17->40 42 Queues an APC in another process (thread injection) 17->42 20 explorer.exe 17->20 injected process9 signatures10 52 Uses ipconfig to lookup or modify the Windows network settings 20->52 23 ipconfig.exe 20->23         started        process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 23->54 56 Maps a DLL or memory area into another process 23->56 58 Tries to detect virtualization through RDTSC time measurements 23->58 26 cmd.exe 1 23->26         started        28 explorer.exe 1 186 23->28         started        30 explorer.exe 1 134 23->30         started        process13 process14 32 conhost.exe 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 08:42:30 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdmxkofn3ipstyxqrced2zg3a53mf57jzafcu6exqxck7fyoyeuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0418190aadd19ac9ea51c98d516f178ce5378a5d4354d44a9b49ac814b49325e
Formbook
22099fbafc3dda95912c51aa0c313826f21e2fe84ef51453c649f66ab29c6916
Formbook
7cbd8cc35b03d65491ad01b6a44b84dc047e6663189554201c24dbfbeb81473c
Formbook
820b1216485962fa3501dc8bd02a76bdb821fd7b6ffab858c4ebe135c4246090
Formbook
af7abd08a5752f55f59e38b2bd9568943ada7d2b23ddc3324b735beebd8846ce
Formbook
b7cf8d9d8db4c5eaf796d35251bfc2b24f34c2c77d2ca82a1ebf470323c0894f
Formbook
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
Formbook
fcccde6b56dbe8650273f1d67957a1adc1dd0e783d43d6543da7a44696731292
Formbook
+ 13'231 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader campaign:n6i5 loader persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220211-pclteseccl/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Xloader Payload
Formbook
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
8e559beb07888fd164595f7bd3e0b8a831e5f46ad43299f531d6a9a8bc81b044
MD5 hash:
df3ff08b2e940635f7869caed599ba7a
SHA1 hash:
1650d406a9101e56960bcf7b8bea214f66000d6f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/258eca7d-8f12-4a76-9a3b-0bf46c8eb00c/
Parent samples :
d2cc3484cdabe8305bf9afd35530ca1118ca2c308408dc7140c3a94b392b60bb
88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129
b5f535ca0bd6dcfd4c23ddaa607e30fff1869223f5363ad3bb186e5766e9dc73
00851f75f4b3386811e5cc2fcbf67b918bd27ea7d71fd84314c46531635881f5
ee4524b1dba44c2bb78be91dcc9bbbef2530485c891213961c7d124b3fdac054
edde38ab294e903f8f46db4449190639a877480ec668d55ca7fb9caec54a20ce
05af1ccc6696a83c58e46a5347b40959329af79869e9747399befbe97c85104b
0d9d4d0dab7e4cdeb774f8dd43ba226e01e88dd8072927b288db367d8d22faca
373d39a41fed9b2661abb060a3f6c74d9cb7dd892da0c7742453d84fbc3e924f
SH256 hash:
338c2ed9bf2f4472d49574efbc1eda0121a17d48bb83854bfeaf7a9f53d38136
MD5 hash:
ad4f80e6137a958b72c97dec89edb3ba
SHA1 hash:
0ab56e1fe4286ad2fc7a802a5a950923ba81314b
Link:
https://www.unpac.me/results/258eca7d-8f12-4a76-9a3b-0bf46c8eb00c/
SH256 hash:
88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129
MD5 hash:
5813409d72e5b6ac2ec5caff138e2abd
SHA1 hash:
edaaf0a471315319396afcc4dc14baf5856d7a3d
Link:
https://www.unpac.me/results/258eca7d-8f12-4a76-9a3b-0bf46c8eb00c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/88d97538adda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 88d97538adda1f29e2f088883d64db0776c2f7e9c80a2a789785c4af970ec129

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/240921/

Comments