MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912
SHA3-384 hash: 27b80dfdb5fe09d7031d587d333502d7d40bbf6bdf1587fb611422c120f80b10af8b680c8d36eb968cc2586993985ee8
SHA1 hash: cb3be0eac5d0dc5fa65c8053642d9c93fe305e31
MD5 hash: 5595049f8983e6731ea2e87a96444375
humanhash: saturn-lactose-steak-bacon
File name:COURT-ORDER#S12GF803_zip.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:424'960 bytes
First seen:2021-09-24 18:31:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:WNGEBzZVVNm8kjjPcZx0jvNS7gNCfo8ng:YdBm8knP+M38ng
Threatray 9'623 similar samples on MalwareBazaar
TLSH T16F94E081A6DCDB4FE3586A3859156D118263D3ED22A2EE4AED5840B13DEA34CF710FD3
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
COURT-ORDER#S12GF803_zip.exe
Verdict:
Malicious activity
Analysis date:
2021-09-24 18:41:38 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/403cf733-cb23-406a-a55f-9b2fd5f3ef30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191248/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.3163.7788.28749.UNOFFICIAL
Create hunting rule

Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4d575b3-93ca-4a78-aadd-63865a4c3890
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857584
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 490027 Sample: COURT-ORDER#S12GF803_zip.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 31 www.thehappy-company.com 2->31 33 thehappy-company.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 9 other signatures 2->47 11 COURT-ORDER#S12GF803_zip.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\COURT-ORDER#S12GF803_zip.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 COURT-ORDER#S12GF803_zip.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.4tnoxrox.com 136.0.128.150, 49845, 80 EGIHOSTINGUS United States 18->35 37 www.gq111.net 209.99.40.222, 49839, 80 CONFLUENCE-NETWORK-INCVG United States 18->37 39 8 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wscript.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 09:10:18 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwf6sf3sfvuq542y6qn3kyghekc2omzrwtgbxf24y5w4v33ixeja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18f4cf60cabec371c21e141ab1e15754654351ba4bfd85ae717f5c760f3c102a
Formbook
7e99dc28bcc8be32fb1477bc6b67da52d67195e1e9ebc9612118a9e180675af7
Formbook
8d77ac5e45a0f443b317f1a717dffd55e98319508cc05080ea006b5fcc93c78a
Formbook
9723d45f7d2f12bde692d804c9a7bebd2bb1f9142f7f3efadff7c4a87bc33841
Formbook
a352710790883442f580f87d70387649d03b7d1d6472d995ca4bdf96d88bbf50
Formbook
ab4795f656b54e9388c89d6a4df52747510fa418bdb50aa3bafd7b332ef1ff81
Formbook
bf676c0c2a4db1ca2df33c677b9fa836fb7bbd13d5021fcdf5bfeb2167674661
Formbook
d337cba627486e1f99e4a96407591609d888c6656a4010b88047e7cd1ab19482
Formbook
de3c81ef7e59a386f6572d4c095739d45493d90b03c348748200012ec165372f
Formbook
f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546
Formbook
+ 9'613 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:u86g loader rat suricata
Link:
https://tria.ge/reports/210924-w6mfdahefn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.springgrowmeanairway.net/u86g/
Unpacked files
SH256 hash:
ead285841040f5a0511c1f03b88eebf3c1dd5be28985f8d32980740ead9e61f8
MD5 hash:
4ade146c479c72a09f68afa7f6a166c8
SHA1 hash:
1f38363f7e071805c5c787b55ed4d9637e835180
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c77afbd0-bcae-47f8-8e0f-d8c26f2a1a85/
Parent samples :
f8165688719f90b1ba956beb5f04d5aaa4afe8772fd38469f5a29efde6124546
9723d45f7d2f12bde692d804c9a7bebd2bb1f9142f7f3efadff7c4a87bc33841
8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912
SH256 hash:
8ee777d2a2af14e6934b02a89f1194928d353d7402ff93c756fe9235b79bb3a9
MD5 hash:
f921c5be5df3f9abfdbf50b19e820728
SHA1 hash:
b2cca7873504081edfc090ac35fa6872fa2e4afa
Link:
https://www.unpac.me/results/c77afbd0-bcae-47f8-8e0f-d8c26f2a1a85/
SH256 hash:
2241e105f4d9d02f898d8395a712a1c61bcae5d5cf5e52dc37cccd9a4cbe7bb1
MD5 hash:
36fa916ea33da29b017dc9b363834024
SHA1 hash:
a75acb3c65f0a012f58a4c00b4d0c9eb7bf38da6
Link:
https://www.unpac.me/results/c77afbd0-bcae-47f8-8e0f-d8c26f2a1a85/
SH256 hash:
485c96b14d3959cadee7d4528300e9d209fc6ca41c0cc2717eafb61c53828071
MD5 hash:
373623b6857f6dfe2c019f964ba14dff
SHA1 hash:
37e97b2168e48eace72f66b69309da820426fda1
Link:
https://www.unpac.me/results/c77afbd0-bcae-47f8-8e0f-d8c26f2a1a85/
SH256 hash:
8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912
MD5 hash:
5595049f8983e6731ea2e87a96444375
SHA1 hash:
cb3be0eac5d0dc5fa65c8053642d9c93fe305e31
Link:
https://www.unpac.me/results/c77afbd0-bcae-47f8-8e0f-d8c26f2a1a85/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8d8be917722d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/191248/

Comments