MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1
SHA3-384 hash: 49940f23bb6e788dd41da9a65301a039a0cebcb9f23cdd11dbfed8f3f0f31b3d0e4a9dc8de75d0f1aff548bd2a594f8f
SHA1 hash: 396975f896f37585993027645daf0bc5e95d15e8
MD5 hash: a7be1c90191a04a3080704b59d4d0a2e
humanhash: sodium-timing-pizza-eighteen
File name:a7be1c90191a04a3080704b59d4d0a2e
Download: download sample
Signature Formbook
Create hunting rule
File size:219'296 bytes
First seen:2022-05-10 04:06:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:l1NjcVVnLpPunb7bJ/+u+Q43AI5lcuGnW23dvywpT8bXzZetL6ObRv6lqYF9jx8Z:HNeZm6xlcuOpvy0T8MQWv6lqooHT8k
Threatray 15'416 similar samples on MalwareBazaar
TLSH T1B92412687B71D0B3CA560BB21E3797712AFA973516B0A28F17602E8DBC135D1CA3D712
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
a7be1c90191a04a3080704b59d4d0a2e
Verdict:
Malicious activity
Analysis date:
2022-05-10 04:06:35 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/13d73a60-b4d5-40b1-b1d2-7927cc7989e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16879/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot
Link:
https://www.filescan.io/uploads/6279e4f492de4ecac40ee931/reports/f7fb6828-5eba-43a7-80b9-20dd822cf872/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79a4636e-3d46-48fc-b051-6636a729da37
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990683
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623179 Sample: pQ5y6C8rBz Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 34 www.frikixpo.com 2->34 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 5 other signatures 2->56 12 pQ5y6C8rBz.exe 18 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\xtdjdpcgld.exe, PE32 12->32 dropped 15 xtdjdpcgld.exe 12->15         started        process6 signatures7 66 Antivirus detection for dropped file 15->66 68 Multi AV Scanner detection for dropped file 15->68 70 Tries to detect virtualization through RDTSC time measurements 15->70 18 xtdjdpcgld.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 36 fundefarm.com 68.65.122.51, 49808, 80 NAMECHEAP-NETUS United States 21->36 38 www.4cc3ss.com 35.208.117.72, 49826, 80 GOOGLE-2US United States 21->38 40 www.fundefarm.com 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 25 cscript.exe 21->25         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 16:44:50 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcdanq5ugiulqumdfkxfmqmlfk326obeb4mdhecj3j7eb3m2e7aq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2537720d5a68fae9bd2bd01925102deb25af75b86fbdc295f166efc97e636cfe
Formbook
2a48c2b3780f6b0f3fd3f3f05f54066f465870e6f534237a5d283ee079882828
Formbook
308d882a5267dc2b1e74498c052ad6f0ba7e29544f8872600586b9d2dfe798f9
Formbook
466c633e1e137b92c883a26a147275a6d90d538e6f87b28c70089d7d30e8ac3a
Formbook
6ed4597153654e9526d066d62bbf7cc0e7d7e0660049f9e3b826475d3fa71abe
Formbook
a88a1ec7699128b0e1f344c880b17b839927b7580e3bf7ece152dff57d719dfe
Formbook
bd9d5262381f0047565bc4bab49a846673c66872a627658541101feb386cec77
Formbook
c6ccab15f09cd96dc361af96d7c1b3469d83aaede794309536131081ea6ab245
Formbook
+ 15'406 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:b26k rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220510-epmldahfhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
2704893c08d1834288514c90954532e777eb51be256a3a1c0db70a329bc3da60
MD5 hash:
f131b1f9a0a5b85c4b4b1e8716755a34
SHA1 hash:
879a886f74bcc801ee6a3c45dfa7c3abd8db283a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5cc377d6-0584-4f91-b75d-e10406a8bacf/
Parent samples :
cfb5c7e930e81acd950ecdf05d148c637acd3242ec9c5a35fe8b9af8e1abc623
bd9d5262381f0047565bc4bab49a846673c66872a627658541101feb386cec77
988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1
SH256 hash:
cb23cc1c057eb3dc9ece455faab4eced9536ab1b4dbb7062e3b5f77c54a61e1b
MD5 hash:
b5aec9b13e6730c64e1faf1d21f5f28f
SHA1 hash:
654a64e6d2fe0eba1f0e92a9115d4c5599b5c3da
Link:
https://www.unpac.me/results/5cc377d6-0584-4f91-b75d-e10406a8bacf/
SH256 hash:
b4341fbe834fb18082c70564bc7bcb8efe420aa882b2ee248588b61266716a5e
MD5 hash:
5967d191cef9f684863dfb4fcf17555b
SHA1 hash:
4637665f88d4c1cccc8eb607b9c250289426f6b6
Link:
https://www.unpac.me/results/5cc377d6-0584-4f91-b75d-e10406a8bacf/
SH256 hash:
988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1
MD5 hash:
a7be1c90191a04a3080704b59d4d0a2e
SHA1 hash:
396975f896f37585993027645daf0bc5e95d15e8
Link:
https://www.unpac.me/results/5cc377d6-0584-4f91-b75d-e10406a8bacf/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/988606c3b432/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 988606c3b43228b851832aae56418b2ab7af38240f18339049da7e40ed9a27c1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2187850/

Comments


Avatar
zbet commented on 2022-05-10 04:06:28 UTC

url : hxxp://103.149.12.43/windows_cloud/.winlogon.exe