MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b14cfba125a0fd02139064d326e1b32bddff5d1ae0e50fff24bc4f9a2f9e1732. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b14cfba125a0fd02139064d326e1b32bddff5d1ae0e50fff24bc4f9a2f9e1732
SHA3-384 hash: 7752042a42dfaa7b5a37c798d583f3a1435f2ee0ed595df6281ab25e4d2ef7858fc561ab031ba4967e387e5c963b027b
SHA1 hash: 3722ac074a1918af871d94a51e5adf5056d187ba
MD5 hash: b33c4b734a9eaca62c2dc4e89747179e
humanhash: texas-johnny-mockingbird-tango
File name:X09876543234567890987654.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:541'928 bytes
First seen:2022-03-14 07:16:39 UTC
Last seen:2022-03-14 09:05:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:1jspjnuOU5wKmZ4qu7zDN1b8vZOEDO0SDP:epjnC7mZ4t1QDiP
Threatray 14'127 similar samples on MalwareBazaar
TLSH T175B48BF0B73B54ADD1D3C5F6A4249AE355E069F51F2040322EABB6D992F528A8CD13F0
File icon (PE):PE icon
dhash icon 10c484b69ed4e461 (1 x Formbook)
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249959/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.26835.4533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622eebf30cd58dbd9294881d/reports/97faaa14-e210-47e3-ad9e-9c851416f917/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d721982e-7ac0-4cb0-9a21-67cac8450ecc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955832
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588313 Sample: X09876543234567890987654.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 3 other signatures 2->50 11 X09876543234567890987654.exe 18 2->11         started        process3 file4 32 C:\Users\user\AppData\...\nxpzxqgtlv.exe, PE32 11->32 dropped 14 nxpzxqgtlv.exe 11->14         started        process5 signatures6 58 Multi AV Scanner detection for dropped file 14->58 60 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->60 62 Tries to detect virtualization through RDTSC time measurements 14->62 64 Injects a PE file into a foreign processes 14->64 17 nxpzxqgtlv.exe 14->17         started        process7 signatures8 36 Modifies the context of a thread in another process (thread injection) 17->36 38 Maps a DLL or memory area into another process 17->38 40 Sample uses process hollowing technique 17->40 42 Queues an APC in another process (thread injection) 17->42 20 explorer.exe 17->20 injected process9 process10 22 chkdsk.exe 20->22         started        signatures11 52 Modifies the context of a thread in another process (thread injection) 22->52 54 Maps a DLL or memory area into another process 22->54 56 Tries to detect virtualization through RDTSC time measurements 22->56 25 explorer.exe 3 179 22->25         started        28 cmd.exe 1 22->28         started        process12 dnsIp13 34 192.168.2.1 unknown unknown 25->34 30 conhost.exe 28->30         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b14cfba125a0fd02139064d326e1b32bddff5d1ae0e50fff24bc4f9a2f9e1732/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 02:56:52 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wfgpxijfud6qee4qmtjsnyntfpo76xi24dsq77zexrhzul46c4za._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
Formbook
204831bda7d04f0905f7bf0c39e45b3772935726d8a436ee9703a19098b37e21
Formbook
224f624a53eb1c209d1fc9161cb9d91464768960765e64855ccf547d0c64c478
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
Formbook
4c6c6d26b853d44fc189e67eaa4f65e440d6ee75ac8a5bde95ccc73b0b611c2a
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
a608c335a71c2d4e38ce67af529bf6e9bdc84555cdce0269eae7d5539fa33549
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 14'117 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:pot0 loader rat
Link:
https://tria.ge/reports/220314-h4c72adgc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
Unpacked files
SH256 hash:
b14cfba125a0fd02139064d326e1b32bddff5d1ae0e50fff24bc4f9a2f9e1732
MD5 hash:
b33c4b734a9eaca62c2dc4e89747179e
SHA1 hash:
3722ac074a1918af871d94a51e5adf5056d187ba
Link:
https://www.unpac.me/results/6bca7c06-1cfb-4d8e-9e2c-44ddbab6b559/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b14cfba125a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/b14cfba125a0fd02139064d326e1b32bddff5d1ae0e50fff24bc4f9a2f9e1732

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip be712d13c9298e5c7d627501bd7e16c9518d20e5b152dbc73e255ff4945534da

Formbook

Executable exe b14cfba125a0fd02139064d326e1b32bddff5d1ae0e50fff24bc4f9a2f9e1732

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 be712d13c9298e5c7d627501bd7e16c9518d20e5b152dbc73e255ff4945534da
Cape
Cape
https://www.capesandbox.com/analysis/249959/

Comments