MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf
SHA3-384 hash:	3da83d1d4d80cf43b55cf82ad6f88d9a9c3902afc9c9b2dc6790add9e958af4ec2f6010348a9341220f7d67bf4257394
SHA1 hash:	1488bf6d253a64691d66346ddce7befe7d54421c
MD5 hash:	8e2e7299f1997f478e59622e87a1e9a8
humanhash:	ceiling-cat-london-leopard
File name:	Purchase Order.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'003'520 bytes
First seen:	2021-11-08 04:29:59 UTC
Last seen:	2021-11-08 07:13:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	24576:KoNfB+2kKM7pwSw+Z7h5BhvnYjp5wylGP:KoNfI2kKwl
TLSH	T1F0255B05AAD44D18C77E0370593AD17CDA525E7B663CC21CBECE3AAB3B7BA508113627
File icon (PE):
dhash icon	d4d4dad6d6dcc4e4 (34 x AgentTesla, 8 x Formbook, 7 x SnakeKeylogger)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/203134/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.18852.22557.6169.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6188a7ce2084b424af0f045e/reports/07428e9f-c053-481f-947c-ecffaef05331/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a1bd1c1-ee0d-44a5-a927-dd744e581ec1

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/884964

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf/

Threat name:

ByteCode-MSIL.Trojan.Swotter

Status:

Malicious

First seen:

2021-11-08 03:48:30 UTC

AV detection:

11 of 40 (27.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w3fjylh6gsgk5vae2byy7qgwzoe76ogfqulggb37y2pgjfceethq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:r4gk rat spyware stealer trojan

Link:

https://tria.ge/reports/211108-e4tm8sbcd6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.aprilsaak.quest/r4gk/

Unpacked files

SH256 hash:

c61f6a0fd94660d9cc012788f67e089482e2b9743b00fa2c19dca96abfe833f6

MD5 hash:

8bb6b6d0be4eba9ea6eac2d16dc37860

SHA1 hash:

34e95e9a52e8252c6ef2d2d174834673afc3d0f7

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/931b7995-59b5-4eaa-aa27-4212bb2e53ff/

Parent samples :

e827c29f504045d8e6d8a2eb622a571f83e1bf9afaa8f1b839af76f457b45135
fc9165f2702032e355b392fe6ada38cfd6e1eceafb5453de7991369addd266a6
fcb7e25d33700d8f04ab05d2fc0cba77dc5ccf6a32b93abc3511dcfb608dbc9e
7ba579db4b2485e75dbeff653199f592e4067706225975038ad011b73562c3fb
1910bc92f591b3feb607aac1518fe2cc6c834b627b76637cb27464006e072a22
6e8be6a1ec2b4c1ec33860b33f09b0e239db6d5453a5713a2aa31e822a8b50b2
9611957db07f36a13d7e43f5c32c08c0e3c44c689e7d88c832490e3d259cfb48
93570be59d8c3f3608ffe0b137503c6555e6f40514af2c22989fe61a2394ecd5
b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf
faf70cbc3094ec594a823dd4516fa6cc662e908b36bdec13c61a7b10c85072fa
ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d

SH256 hash:

91655863c7906a8d20c7c782144f553c027843a72f2fdab2b1ccc80808083af0

MD5 hash:

b5044dd0e9c91b1a9185d491da7d07f2

SHA1 hash:

a9ff8129771d85f77b6a145f750c70e53f51125e

Link:

https://www.unpac.me/results/931b7995-59b5-4eaa-aa27-4212bb2e53ff/

SH256 hash:

907baf1d88cde6b701cefde5c229af7985370ce157da126372843eefb2768032

MD5 hash:

333cde3357ed13cdd1b45a17351703d2

SHA1 hash:

1012f040e615988645552e5bafa834bf211c19e5

Link:

https://www.unpac.me/results/931b7995-59b5-4eaa-aa27-4212bb2e53ff/

SH256 hash:

b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf

MD5 hash:

8e2e7299f1997f478e59622e87a1e9a8

SHA1 hash:

1488bf6d253a64691d66346ddce7befe7d54421c

Link:

https://www.unpac.me/results/931b7995-59b5-4eaa-aa27-4212bb2e53ff/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/b6ca9c2cfe34/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.95

Link:

https://yomi.yoroi.company/submissions/b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe b6ca9c2cfe348caed404d0718fc0d6cb89ff38c5851663077fc69e64944424cf

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/203134/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample