MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633
SHA3-384 hash: 344cd4d8c3eab8e5cc9fb6f2d14183cbd37b76712ee6b1466d49293e130359be54356ac1407047bb33ca4254f5e04155
SHA1 hash: 2c0d3263e5e456ac37c90fd6edae76b7870dbf4b
MD5 hash: 2cc1ff34d99ea5238d84eef2fd57d6ed
humanhash: ten-eleven-charlie-zulu
File name:2cc1ff34d99ea5238d84eef2fd57d6ed.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'054'435 bytes
First seen:2020-10-13 14:55:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZyp40mGggqmmALrw+BvRJRJl5FRb0Yxg539FQZMaBQi2j5m:jFpgClPw6vRJXl7Rbdxw96ZMA2m
Threatray 2'681 similar samples on MalwareBazaar
TLSH B2251202B7D68872D0321E325A367711AD7D79201E28CA5FF3E44E7DEA311D1A725BB2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70530/
Detection(s):
Win.Dropper.NetWire-9102409-0
Create hunting rule

Win.Malware.Vasal-9406011-0
Create hunting rule

Win.Dropper.Vasal-9635263-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Sending a UDP request
Creating a process from a recently created file
Creating a file
Launching a process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489943
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297441 Sample: WAWlk7hvIp.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 10 WAWlk7hvIp.exe 36 2->10         started        process3 file4 39 C:\Users\user\AppData\Roaming\...\ovfbdx.pif, PE32 10->39 dropped 61 Drops PE files with a suspicious file extension 10->61 14 ovfbdx.pif 3 10->14         started        signatures5 process6 file7 41 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 14->41 dropped 69 Multi AV Scanner detection for dropped file 14->69 71 Writes to foreign memory regions 14->71 73 Allocates memory in foreign processes 14->73 75 Injects a PE file into a foreign processes 14->75 18 RegSvcs.exe 14->18         started        21 RegSvcs.exe 14->21         started        23 mshta.exe 14->23         started        25 6 other processes 14->25 signatures8 process9 signatures10 51 Modifies the context of a thread in another process (thread injection) 18->51 53 Maps a DLL or memory area into another process 18->53 55 Sample uses process hollowing technique 18->55 57 2 other signatures 18->57 27 svchost.exe 18->27         started        30 explorer.exe 21->30 injected process11 signatures12 63 Modifies the context of a thread in another process (thread injection) 27->63 65 Maps a DLL or memory area into another process 27->65 67 Tries to detect virtualization through RDTSC time measurements 27->67 32 cmd.exe 27->32         started        34 colorcpl.exe 30->34         started        process13 signatures14 37 conhost.exe 32->37         started        59 Tries to detect virtualization through RDTSC time measurements 34->59 process15
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 14:56:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tt6g2foj7fh32arhay2prhlrhytosq6pkw7qrbdro4iujtshcyzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1095767d566c69cb1b2b6c80eef101d62dc9736e3ef294b43fc23f3d0378ea60
Formbook
5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9
Formbook
7fce676b063449eecd1236727598513639a7fd166d6e2f86dce138b97636d572
Formbook
90bb157f9c5241f567eb56be38e3ba9f51a0ec5a8da3c77fdb1bed1f2095c39b
Formbook
9987d8c52079b322db5a969a6c8aca4858262e6bf895d644d2f8c87bee0ec649
Formbook
9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8
Formbook
a30dd99039152a76aacb5607d79b400098d9cd24350c0121fe4f7811177c0dbc
Formbook
a943fc4408c2f59f2df0afabf3836e5adae92a8f4a4b1da0270e313d8ea78445
Formbook
ab62f6c3ea852d99ce529f9c61012ab324bb007f79cc6cba9c8f6c1aaba4c561
Formbook
d6c73d397215d259bfb6168e9c0a6c29bb8e684509877e0ec62aba0c817a25fa
Formbook
+ 2'671 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201013-atsycpky6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.amazon-i3.com/nyk/
Unpacked files
SH256 hash:
9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633
MD5 hash:
2cc1ff34d99ea5238d84eef2fd57d6ed
SHA1 hash:
2c0d3263e5e456ac37c90fd6edae76b7870dbf4b
Link:
https://www.unpac.me/results/dd80c60f-2849-49c6-83a2-7fe05f1ed117/
SH256 hash:
1a1e00163312155bf5c0d8a8b6a37822d8a6e292d480483ab2d4f8d09fa15e5a
MD5 hash:
834d7cba321e2fda05f81c69500da547
SHA1 hash:
8ca7421a3085e87d0ba50ff8e59197ad103a74c6
Link:
https://www.unpac.me/results/dd80c60f-2849-49c6-83a2-7fe05f1ed117/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 9cfc6d15c9f94fbd02270634f89d713e26e943cf55bf088471771144ce471633

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/70530/
  
URLhaus
https://urlhaus.abuse.ch/url/685119/
  
Delivery method
Distributed via web download

Comments