MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments 1

SHA256 hash:	c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
SHA3-384 hash:	d6896e2b95b1a2032a281a84a094a727da2aa7cb2070c72c564a473fc41255aa6a7822f2d42849776557a009da23be9c
SHA1 hash:	5eeda205ace7bb30192333ec9474d4d897752354
MD5 hash:	376f198af24796bf500848fb66bdf471
humanhash:	avocado-purple-music-illinois
File name:	376f198af24796bf500848fb66bdf471
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'199'104 bytes
First seen:	2021-10-19 11:44:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a410078918980fce320f92b4875de320 (4 x Formbook, 2 x RemcosRAT, 2 x NetWire)
ssdeep	12288:0xwB6jcB+VlDdNvGOLPs46HcqC9Q1LEYLtwau2AkupubMkkUshtgQowaI9hj8mey:Gr1bvGObs46nCmLJwVuwkPZwakpKhG
Threatray	10'650 similar samples on MalwareBazaar
TLSH	T1C3458D39B2D14C32D223097D4C67616A9C2DFE51AF18BD0237F1799C9BFA781395228B
File icon (PE):
dhash icon	fedcbb4d750f4c4c (9 x Formbook, 5 x RemcosRAT, 2 x NetWire)
Reporter	zbetcheckin
Tags:	32 exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

162

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/198477/

Detection(s):

Win.Malware.Fhqr-9869314-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Modifying an executable file

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/616eafc3db358dd15ec43176/reports/d02d1b0c-0971-42b6-a6a7-d63b0f143cc4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b280efc5-e5d0-44bd-8483-c3c8b477659e

Result

Threat name:

DBatLoader FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/873068

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Performs DNS queries to domains with low reputation

Sigma detected: Execution from Suspicious Folder

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2021-10-19 11:45:07 UTC

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yemzfcanv3g2gwky7ukpz45w4xjsu262rsievceo3yg4xmpzdkta._file

Verdict:

malicious

Label(s):

formbook

Formbook

1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72

Formbook

2ea667119c0aeda764dcb53a2adf480a26985bfc682949d0fb0c02d266342c68

Formbook

64e3a0f2298f21833eb7a9c51aa0b2b8d3354bdcefb0156bb34371e3163d8b3d

Formbook

87f8905d999f293634fddf1bff47a614041bdfaa2f07ef19fe70e5296a7b086e

Formbook

99cdf3421923232c160c5075af3bf8620df65bd59cf99cc341f17a58e1eeb4f2

Formbook

ae55ee08f18b57a38a47ed9bc161b7833e35c31b014e8579ae904a2d4d7c63e3

Formbook

e6cde5c1b614549613d30761b34c899f4ff69d7e6e3147c21d68bedd64f8fe25

Formbook

f5447c22561c0692e385ef3c0ef0ed84d4ce35042f0839bddd7de9aeaa1f777a

Formbook

+ 10'640 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:xloader campaign:o4um loader persistence rat suricata

Link:

https://tria.ge/reports/211019-nwqq2sgfdm/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Xloader Payload

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.dependablelawnsnow.com/o4um/

Unpacked files

SH256 hash:

2c445b887ee8e82dc1256c5042b465cf9294df5df96c3043f9927f21a9225b16

MD5 hash:

ee4f84d3e9caefcf462f319104860abd

SHA1 hash:

649465bbd208cbdc3e2b474ae35e17aca306d465

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/2d8056f5-c330-40b2-9aea-77eb4fe516ff/

Parent samples :

ca74d0e5b26cf6d8d5e3b04c607f4dacaf6fabc78d369dcb8d3637d6ce72e6bb
1cb6deac4e20e2a13002d118fc863a0757409bab2f45a9390529f1e6ad5217fc
eaeb4a70b5df25c40d3e443b2f4b3adbd193b0ed7ffcaf4c5ca3d5e9955134ef
96e14fedf020cef802a005cf9289d7c8f8a0f2bd516fee5f4096cf36a2f2c1e3
2a9bac8b5d947ef5f72c65bff3fe97d7ffd3602ec49915693987cd9909512187
22dd73a06a3bff8a7866c95b5191aa6a7b57d67d632b2373235e7b2ba4fd46fa
1a261ffbe76d224c7d9f9136723f1cdf35f661d0e5a38f43a7ee2cb31606f359
1e5bb5e00fddfcc62c8bfe71b46a4c8c6c22986c7a51931d16b8ddc465170d72
c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6
42e09f0e4d7ab0448e04d5d31fbc63cfb2df988f848853a5a149ff5454040184
ff27831341c8b2477f8f59094764e8c4341be79c3f678f27cc425aef3b1ab21b
6814190b4099c532caabe663df73d8ee0c7d70b55db3c69c56eefc1dc1d162f5
c14cd408876aab6eecaf7354dade35554e21c7a3a784fda79ae5f6d6349f15ff

SH256 hash:

c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6

MD5 hash:

376f198af24796bf500848fb66bdf471

SHA1 hash:

5eeda205ace7bb30192333ec9474d4d897752354

Link:

https://www.unpac.me/results/2d8056f5-c330-40b2-9aea-77eb4fe516ff/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c11992880dae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c11992880daecda35958fd14fcf3b6e5d32a6bda8c904a888ede0dcbb1f91aa6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time