MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798
SHA3-384 hash: 6540ff3372cd41458939e985d6c1b7ce44a90015c710fa9e2d1caedcc17c33773c9fca608a961b3b9825ecb728807f7b
SHA1 hash: b167c4febc26c2d802da23cd0a9233592c24458f
MD5 hash: 96e7e28d2c7d1eacf8a8e181d66a3eb1
humanhash: carbon-coffee-table-quiet
File name:GRAFINGER#00124022021#INVOICE#.r11
Download: download sample
Signature Formbook
Create hunting rule
File size:211'231 bytes
First seen:2021-02-24 15:56:37 UTC
Last seen:2021-02-26 03:44:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:Zf1BDZ0kVB67Duw9AMcibG7TE3j7NlF0unTmfEdooWIaA4LJkEOm2Bc8hsvtdnsH:Z9X0GEoTWCutohr1GBBXWt+mp7zyLp
Threatray 3'907 similar samples on MalwareBazaar
TLSH 3024126132A2D4F3C5B688B0093DA668FFFED341059DAB475B582E497E035D38B1F1A2
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GRAFINGER#00124022021#INVOICE#.r11
Verdict:
Malicious activity
Analysis date:
2021-02-24 16:05:27 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/706bb9ae-fb91-457a-a2b3-99d8877c9f37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616958
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357481 Sample: GRAFINGER#00124022021#INVOI... Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 38 www.b2youbr.com 2->38 40 b2youbr.com 2->40 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 6 other signatures 2->62 12 GRAFINGER#00124022021#INVOICE#.exe 11 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\b1ayy.dll, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\Temp\4yiij.exe, PE32 12->36 dropped 15 4yiij.exe 1 12->15         started        process6 signatures7 72 Detected unpacking (changes PE section rights) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Tries to detect virtualization through RDTSC time measurements 15->76 18 4yiij.exe 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 48 Modifies the context of a thread in another process (thread injection) 18->48 50 Maps a DLL or memory area into another process 18->50 52 Sample uses process hollowing technique 18->52 54 Queues an APC in another process (thread injection) 18->54 23 explorer.exe 18->23 injected process10 dnsIp11 42 payperclickreseller.com 34.98.99.30, 49727, 80 GOOGLEUS United States 23->42 44 www.aloe-ingenieros.com 104.165.213.115, 49742, 80 EGIHOSTINGUS United States 23->44 46 13 other IPs or domains 23->46 64 System process connects to network (likely due to code injection or exploit) 23->64 27 msiexec.exe 23->27         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 27->66 68 Maps a DLL or memory area into another process 27->68 70 Tries to detect virtualization through RDTSC time measurements 27->70 30 cmd.exe 1 27->30         started        process15 process16 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 23:41:36 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ryprq56y3teszvu5dcpgfajjeawo445z2y7y3nhtaozowkgzo6ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1432f0240c91b7439722df807e35ef9b4cc9b126f3e5d42cedb27b28751118d7
Formbook
149bc7bb666f2eabcf946822bd316709ddeeef787f059687415f98c71ad47783
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
6e6fa2f1d1b7e3c37b6c7a18a4bd750e6ca980741c87af931c17d2ed7e469c3e
Formbook
8241caa4d6c5a09290864492d19dee143f0f80074d370135c0f91bad01c16ee3
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
Formbook
b1999a87350ef2b15e663c809ac16f2f0832ba3dcd868aefe0d36392af04da29
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
+ 3'897 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210224-hevwfytgzs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.wfe-eu.net/vfm2/
Unpacked files
SH256 hash:
a73f786974a82987a808afe58356d06315ec6201891e61d8af34cf74269754df
MD5 hash:
8a8d5468a906983072d16bdce3f0c46a
SHA1 hash:
db6be71567e5e77f8361d347524af50541c82533
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/23e53e49-38a3-4607-874c-c2ce606371ce/
SH256 hash:
bd82af121192a4ab12b7e24f1e5bfa06ea6d78fe28d275cd710885e2de712a52
MD5 hash:
8b8ee15ca32a0917d66bbe13f44c2fac
SHA1 hash:
bf61cc091af298a9bd1f3fd0ee1f0892b8aa156a
Link:
https://www.unpac.me/results/23e53e49-38a3-4607-874c-c2ce606371ce/
SH256 hash:
77d1c7997018b6cd9435d721894c1151498508da9c55d609eaab2286e33d6b2a
MD5 hash:
cab03fc75c1e726e14cbc65fdfccbed6
SHA1 hash:
5d9917bec294920bfffe185bb30ed65c2291e18b
Link:
https://www.unpac.me/results/23e53e49-38a3-4607-874c-c2ce606371ce/
SH256 hash:
8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798
MD5 hash:
96e7e28d2c7d1eacf8a8e181d66a3eb1
SHA1 hash:
b167c4febc26c2d802da23cd0a9233592c24458f
Link:
https://www.unpac.me/results/23e53e49-38a3-4607-874c-c2ce606371ce/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 90970b4b72414a0b3904827e7516257e7010b442409025dd2b2db7fec3130d85

Formbook

Executable exe 8e1f1877d8dcc92cd69d189e628129202cee73b9d63f8db4f303b2eb28d97798

(this sample)

  
Dropped by
MD5 fcc30ee3a7edd5723fcd6e94a9fb4ad9
  
Dropped by
SHA256 90970b4b72414a0b3904827e7516257e7010b442409025dd2b2db7fec3130d85
  
Delivery method
Distributed via e-mail attachment

Comments