MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bccb5a69386e34c4c94dfe0932180377c333d0d1f0a65b52eb64a0cdc1974556. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bccb5a69386e34c4c94dfe0932180377c333d0d1f0a65b52eb64a0cdc1974556
SHA3-384 hash: 9140a178e1212b80801f768aecedc3e08313bdb183984557907d89c404139b56ef154c12a922c848171726d23a363a11
SHA1 hash: 5af74789c9fda2dd117a26ad59664e14d7bc64aa
MD5 hash: 6de2089faacef5b512c7abb442388e3c
humanhash: twelve-crazy-pennsylvania-oregon
File name:6de2089f_by_Libranalysis
Download: download sample
Signature FormBook
Create hunting rule
File size:1'466'880 bytes
First seen:2021-05-03 09:02:23 UTC
Last seen:2021-05-03 10:17:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 53e9e25e58e11d99b1582ba4ecff0938 (2 x FormBook)
ssdeep 12288:LkdgQPba0eHTCWqiw/20u2GXFK9dmB+BmTkOW4dHKVtUIhU/OyVJ:L05ZeHeWfw/i2GVmjgZhMCeUDV
Threatray 4'997 similar samples on MalwareBazaar
TLSH F0653862F2908832E01F19314D1AF6B99916BDF13DECE5867AF4BE0D393550C391AE93
Reporter Libranalysis
Tags:FormBook


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148349/
Detection(s):
Porcupine.Win32.Injector.EPEA.100367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/707490
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402664 Sample: 6de2089f_by_Libranalysis Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 5 other signatures 2->40 10 6de2089f_by_Libranalysis.exe 17 2->10         started        process3 dnsIp4 32 cdn.discordapp.com 162.159.133.233, 443, 49731, 49732 CLOUDFLARENETUS United States 10->32 50 Writes to foreign memory regions 10->50 52 Allocates memory in foreign processes 10->52 54 Creates a thread in another existing process (thread injection) 10->54 56 Injects a PE file into a foreign processes 10->56 14 mobsync.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.ultimatewindowusa.com 17->28 30 www.books4arab.net 17->30 42 System process connects to network (likely due to code injection or exploit) 17->42 21 help.exe 17->21         started        signatures10 process11 signatures12 44 Modifies the context of a thread in another process (thread injection) 21->44 46 Maps a DLL or memory area into another process 21->46 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bccb5a69386e34c4c94dfe0932180377c333d0d1f0a65b52eb64a0cdc1974556/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 19:40:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtfvu2jyny2mjskn7yetegado7bthugr6ctfwuxlmsqm3qmxivla._file
Verdict:
malicious
Similar samples:
259275b0c056a9fec50378b2d268c48447e8ebe8827e8e55aae4484aba8b1939
FormBook
3138df7f2444687a7fcb0dbc704d37bb7d3225fdc49bf6a2944e3fa495c58261
FormBook
5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474
FormBook
61ae615d6ba5629463cec961aa950f737fea8ccc413a677058eb8dccfcdb2561
FormBook
6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947
FormBook
9381faa9dcbde308f4ce87d5dfc36b6a5e8e2a263057ecb2d8f8840061ac2a58
FormBook
b38c11ce5d7c368dd1b51d1b5d8df3e09abff40390f68a1f81dacccfe3f01725
FormBook
c76a77d2c81deab2fda96cc7cfcd42ca3886522b254ab6fa7448c7db8692e00a
FormBook
c771c0417fcf76bac5cb23d5213338c6c8f8b381f6744a7619feb36edec1dacb
FormBook
d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5
FormBook
+ 4'987 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210503-xbyatw4gde/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/n7ak/
Unpacked files
SH256 hash:
31ffb1d8050b158b4c432cbb831f9da9b918443b7ed3ecca7e3d7a18a531e3f9
MD5 hash:
406f0b9cc6dacbdd1b715c557b941343
SHA1 hash:
77387463c87215e20a8592430665820cbb146660
Link:
https://www.unpac.me/results/f031016d-e192-4533-92d2-7fa2106a6b72/
SH256 hash:
bccb5a69386e34c4c94dfe0932180377c333d0d1f0a65b52eb64a0cdc1974556
MD5 hash:
6de2089faacef5b512c7abb442388e3c
SHA1 hash:
5af74789c9fda2dd117a26ad59664e14d7bc64aa
Link:
https://www.unpac.me/results/f031016d-e192-4533-92d2-7fa2106a6b72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bccb5a69386e34c4c94dfe0932180377c333d0d1f0a65b52eb64a0cdc1974556

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148349/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 10:10:34 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
6) [C0026.002] Data Micro-objective::XOR::Encode Data
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [E1510] Impact::Clipboard Modification
11) [C0007] Memory Micro-objective::Allocate Memory
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
14) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
15) [C0038] Process Micro-objective::Create Thread
16) [C0041] Process Micro-objective::Set Thread Local Storage Value
17) [C0018] Process Micro-objective::Terminate Process