MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049
SHA3-384 hash: 15c4efb9de0376eaede44f77619792ecb34fb2b309302a687eb2bb7b600a3721246b71ce0c61aae4d3a76ab12e2473ee
SHA1 hash: 206548a47e53d5f50bb5bd08a0101f79b96c70c3
MD5 hash: ad53fb0296bc9beba3c63015f90f2821
humanhash: sad-three-lemon-glucose
File name:new order inquiry.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:543'232 bytes
First seen:2020-08-17 05:41:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:CS1QbvgWK5WpLZsmYqP8TocVhb3zDuNBpppppppppppppppppppppp:fQbvxaWATlFhbnu
Threatray 2'257 similar samples on MalwareBazaar
TLSH 9BC44B3675828C25C82753B070389ED276257F543FD88A2FA3DEA3C86F22657772611E
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46602/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/432476
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 268512 Sample: new order inquiry.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 96 32 www.horsemetalwallart.com 2->32 34 horsemetalwallart.com 2->34 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected FormBook 2->40 42 Initial sample is a PE file and has a suspicious name 2->42 44 2 other signatures 2->44 11 new order inquiry.exe 6 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->28 dropped 30 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 11->30 dropped 52 Writes to foreign memory regions 11->52 54 Allocates memory in foreign processes 11->54 56 Injects a PE file into a foreign processes 11->56 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 15->58 60 Maps a DLL or memory area into another process 15->60 62 Sample uses process hollowing technique 15->62 64 2 other signatures 15->64 18 explorer.exe 15->18 injected process9 dnsIp10 36 www.sry9nfw6d.biz 18->36 21 mstsc.exe 18->21         started        process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 05:43:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=whehxobmi3rizs2rrbdv33y4eszshhyfba3scy6noxjkxrxk6beq._file
Verdict:
malicious
Similar samples:
0e7ba6c8acc0e3de5a31e050eb287daba683c992e12c4715730ef3ccf3bbf575
Formbook
14fbe673ff6885803dc45ef4966a7632d47fe9c930572b505691876c082f8322
Formbook
4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984
Formbook
8067539c7f15318bf8e93b32e339c7236e3b242e8d56637f2c64f6d01c83b3c9
Formbook
9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8
Formbook
b3289e282e7c031fde98778bac0057bad5d933c85da0b43d95f177c6333fc3c2
Formbook
bf860192609c621a3b073d826266676c8d942db2a9c6e375a9e386c500b55c7f
Formbook
c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511
Formbook
d77b158058cb4a8ba8817a630e3d664e01f5f4f7cf1069d25e256b987eca1a6f
Formbook
e548234adb2b484793484466ef99084bb77854de66782af91e38420a198b4f83
Formbook
+ 2'247 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
agilenet rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200817-c66f7wsjs6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yofdyk.com/gbr/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c7c5bb7ed94c3ff1b5b017d33606d070d22ce92054e6236a45bf49dbf54c74ba

Formbook

Executable exe b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c7c5bb7ed94c3ff1b5b017d33606d070d22ce92054e6236a45bf49dbf54c74ba
Cape
Cape
https://www.capesandbox.com/analysis/46602/

Comments