MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f
SHA3-384 hash: 7e3bfe528d1e00bd8904d5f4b8fc84f11dd2fda67c91689567c6a16b68b3bebfed5db6c68e1781c5b9d2d390c86bde05
SHA1 hash: af7d65de2fc3eb7aad2982addfb806fa5a335be1
MD5 hash: 5b49d4d8a1a4966d32e050269408c1fd
humanhash: stairway-video-missouri-december
File name:SecuriteInfo.com.Win32.MalwareX-gen.23163.28978
Download: download sample
Signature Formbook
Create hunting rule
File size:968'704 bytes
First seen:2024-02-01 09:35:08 UTC
Last seen:2024-02-05 08:33:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:oMyUOGdQrDKVk+WGdwBN8bFZOF6GVpurier:GDWXEculzobr
Threatray 712 similar samples on MalwareBazaar
TLSH T13825CEC52AB44F11E93EABF440650110D3B5795B791FEB4D8EC0A0FA1EB6B414E87B2B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
283
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474000/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.23163.28978.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
packed
Link:
https://www.filescan.io/uploads/65bb660a40cbb80fe04a9f02/reports/bc760aed-ac97-48b3-b092-46703302b267/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/844ad692-d93f-4af1-8978-5a4642febbb8
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384695
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384695 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 01/02/2024 Architecture: WINDOWS Score: 100 33 www.xianggangsaimahui.xyz 2->33 35 xr.lengmodejsin.com 2->35 37 11 other IPs or domains 2->37 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 47 10 other signatures 2->47 11 SecuriteInfo.com.Win32.MalwareX-gen.23163.28978.exe 3 2->11         started        signatures3 45 Performs DNS queries to domains with low reputation 33->45 process4 signatures5 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 59 Injects a PE file into a foreign processes 11->59 14 RegSvcs.exe 11->14         started        process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 2 other signatures 14->67 17 explorer.exe 52 1 14->17 injected process8 dnsIp9 27 www.xcgeek.com 154.201.80.204, 49746, 80 PEGTECHINCUS Seychelles 17->27 29 www.moving-companiesnearme02.life 64.190.62.22, 49743, 80 NBS11696US United States 17->29 31 7 other IPs or domains 17->31 20 WWAHost.exe 17->20         started        process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-02-01 11:55:40 UTC
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrumq64pq4sztlqw6lazvvjxdwvqincmto64vno5fumoxfkywfhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5
Formbook
10883d2d817a21862f9068a7fbaae0d363e16e64d291a291925ba002e761eff6
Formbook
1706343fa1e062d467f9b599776e7db4507a58d605122ccfaed8faa4f5278c1c
Formbook
3c5af02b843a0fd2df2f8558917ab584aa45de1ee6ab13612d589fd8c653bbf9
Formbook
4a5e90afb12bf96e61a233f2824975d529c72b5ade2261f59ac8f5a0e1e242ec
Formbook
5134138e30037482cf3fee2a5c98ffb05cb45acf6e6012757f18a2f1c92a6a03
Formbook
9d0c10331d40a7cbeda5f8e93f7314ff0930b7e0338bcd113de8392c0e09091d
Formbook
a2286a582beaa0c437973103664cb12eb3a5ceb2061b8ca74ed9a4e6807f0c66
Formbook
cf1280dea0bfb86e585e302b4dc4fd51cb1f12847b4685cd377f1a6c8f63765b
Formbook
+ 702 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cz30 rat spyware stealer trojan
Link:
https://tria.ge/reports/240201-lkxn4sbegl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
5a4e73f22c2fe0c0d443bb0bf0452ed6765981605dadcda49ec56a349b45d36a
MD5 hash:
148099dc34801ce17332f475ebd0611b
SHA1 hash:
38b8240a1ae7963797830333904a9a1f7dfb6cb7
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/2130b8a2-9e74-4d26-b4fc-0cac802fd0b7/
SH256 hash:
a91462e9c8e5d78d4047a80eb89a38c6e76e5d4cf6ac8ff7142e19bb7ecfbb82
MD5 hash:
b3200a8295f2098fa0078754ab6728ce
SHA1 hash:
b84d3cbebfd2eb9822664ca47fe56e6ee95e0ddc
Link:
https://www.unpac.me/results/2130b8a2-9e74-4d26-b4fc-0cac802fd0b7/
SH256 hash:
c3f7a9a1f22057747d62ac0436211ed72fd7c1656294e300a5f09c929de0d2a5
MD5 hash:
29a61619de04761d8fb86bb3815557db
SHA1 hash:
695994a8743250926a0f65ccf9eb342fedd8783b
Link:
https://www.unpac.me/results/2130b8a2-9e74-4d26-b4fc-0cac802fd0b7/
SH256 hash:
82cbe8f27bf8daf812d0d1c1f7bcd6cea77e7975dbbbbae75819c758c77b8d75
MD5 hash:
531e974d2b494018d9276f50a4df7ff5
SHA1 hash:
6542257e7e535ffdbf99e049bf1c09da1dfed9d5
Link:
https://www.unpac.me/results/2130b8a2-9e74-4d26-b4fc-0cac802fd0b7/
SH256 hash:
518c5755b6d44a4e6dc2dfe808c2aeec2f7d4a7a076802b4cb2f5f79b4730181
MD5 hash:
9465383c0c2e2826017f5aa38e929225
SHA1 hash:
27ef0d9cb467db93040705d8e64789ee7c027610
Link:
https://www.unpac.me/results/2130b8a2-9e74-4d26-b4fc-0cac802fd0b7/
SH256 hash:
bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f
MD5 hash:
5b49d4d8a1a4966d32e050269408c1fd
SHA1 hash:
af7d65de2fc3eb7aad2982addfb806fa5a335be1
Link:
https://www.unpac.me/results/2130b8a2-9e74-4d26-b4fc-0cac802fd0b7/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc68c87b8f87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc68c87b8f872599ae16f2c19ad5371dab04344c9bbdcab5dd2d18eb9558b14f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.
Rule name:win_formbook_w0
Create hunting rule
Author:@malgamy12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474000/

Comments