MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f
SHA3-384 hash: df3bc221f9656d3c1e75ae679c532b6cbf1cd4e2761ae20340b503f8ba5f1a591858262522c62da00fc665c9dcb6af04
SHA1 hash: f925def6deda55aed64d198157a0f78bc6ab4506
MD5 hash: c2a9f9afa108921e0ddbe5b4d116ef04
humanhash: skylark-wolfram-potato-spring
File name:c2a9f9afa108921e0ddbe5b4d116ef04
Download: download sample
Signature Formbook
Create hunting rule
File size:390'144 bytes
First seen:2021-07-07 18:48:58 UTC
Last seen:2021-07-07 19:44:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:9HsCk/bhng6tCdZAboD8+4DvEpLNFqpvj9tO+bqwhke/rLvf4EMLNIxCxLk:9MR1gVdUoD8+42LNFqXQlAH/DxCxL
Threatray 6'385 similar samples on MalwareBazaar
TLSH T198842352BA7ECCB2D03639382C40B6548F9ACD115D96E8CA36983F4B78F17993D0583E
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c2a9f9afa108921e0ddbe5b4d116ef04
Verdict:
Malicious activity
Analysis date:
2021-07-07 18:51:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d463f63f-ee11-497d-bd8a-f6702583d10e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170294/
Detection(s):
SecuriteInfo.com.Variant.Bulz.485635.944.22349.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d56cb5cf-c3a9-40d5-8008-8ddd8ece3a64
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813104
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445515 Sample: iwg3LEDNdg Startdate: 07/07/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 10 iwg3LEDNdg.exe 1 7 2->10         started        process3 file4 42 C:\Users\user\AppData\Roaming\...\office.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\...\iwg3LEDNdg.exe, PE32 10->44 dropped 46 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 10->46 dropped 48 2 other malicious files 10->48 dropped 68 Writes to foreign memory regions 10->68 70 Injects a PE file into a foreign processes 10->70 14 iwg3LEDNdg.exe 10->14         started        signatures5 process6 signatures7 80 Multi AV Scanner detection for dropped file 14->80 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 3 other signatures 14->86 17 explorer.exe 3 3 14->17 injected process8 process9 19 office.exe 5 17->19         started        23 raserver.exe 17->23         started        25 office.exe 2 17->25         started        27 2 other processes 17->27 file10 38 C:\Users\user\AppData\Local\Temp\office.exe, PE32 19->38 dropped 40 C:\Users\user\...\office.exe:Zone.Identifier, ASCII 19->40 dropped 58 Writes to foreign memory regions 19->58 60 Injects a PE file into a foreign processes 19->60 29 office.exe 19->29         started        62 Modifies the context of a thread in another process (thread injection) 23->62 64 Maps a DLL or memory area into another process 23->64 66 Tries to detect virtualization through RDTSC time measurements 23->66 32 cmd.exe 1 23->32         started        34 office.exe 25->34         started        signatures11 process12 signatures13 72 Multi AV Scanner detection for dropped file 29->72 74 Modifies the context of a thread in another process (thread injection) 29->74 76 Maps a DLL or memory area into another process 29->76 78 Tries to detect virtualization through RDTSC time measurements 29->78 36 conhost.exe 32->36         started        process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 18:49:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yexhvtwaw4w4xipsljbs7fmvtqqmlbvoe6cbrrcprktbamtpwnhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0881127ba3ada84a8259b0e923fb8723a89016ae555bb59c44a9b372bba7daab
Formbook
2450d5f5fa69393262ee4d935acf867ff537ffaaa0a927823b748d5d77dd9fcc
Formbook
45dadb6ef316c7ca2666824bda67f8bd3d9266fc2db706d167f7a3105ed973fd
Formbook
4d81b8f02e5a9eadfdb53142d1ad0c6793d07ca942f5ff5f946e6854fbe74c26
Formbook
4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543
Formbook
74743d6468cedf3e66f1171ef32981dca4fb211b3fd7be519045fc42b077ced2
Formbook
932d535ab92b682eff0f74322211abd760021a9003d18b953e7226a6ebc38902
Formbook
c59f3d09668674cc602a759071c5972b8f78b2b829afd3fb8d5e6f9ecd820280
Formbook
e242d70710f47daf819f4dec74264d265efd80a1aa12eec27c0ac20715670923
Formbook
fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Formbook
+ 6'375 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210707-gjy86s1j42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ashemaletiube.com/qdmn/
Unpacked files
SH256 hash:
66ff93abbc624a7a66d736f3c3f54a0fb3c509b8972816267248086e02db718a
MD5 hash:
77007b7aa2bf76eef801270b4eb4094c
SHA1 hash:
dd799e31babcae5d753e16399690476d041f083a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b6561e0-1126-4d47-9a85-92a0e728e7cc/
SH256 hash:
a2df55dec6c478834572ef2b9db50fd7fc5533c9e93cedd5b80a804e35fc62ae
MD5 hash:
58635c06e548dd88621d71b1e8d4c9d7
SHA1 hash:
c39ab7da2840179dda86ae1f5b315d0630787d3a
Link:
https://www.unpac.me/results/6b6561e0-1126-4d47-9a85-92a0e728e7cc/
SH256 hash:
b1eaabb3b254b3f0f0c2bd0866a979d6550b1f888cf7cabae9ea569de66c49bb
MD5 hash:
81863167feec9d06eeb8a31796e219ac
SHA1 hash:
49d559d6b515eb7e7697a24ac4b15a2a7d91d7ad
Link:
https://www.unpac.me/results/6b6561e0-1126-4d47-9a85-92a0e728e7cc/
SH256 hash:
c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f
MD5 hash:
c2a9f9afa108921e0ddbe5b4d116ef04
SHA1 hash:
f925def6deda55aed64d198157a0f78bc6ab4506
Link:
https://www.unpac.me/results/6b6561e0-1126-4d47-9a85-92a0e728e7cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c12e7acec0b72dcba1f25a432f95959c20c586ae278418c44f8aa610326fb34f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1434050/
Cape
Cape
https://www.capesandbox.com/analysis/170294/

Comments


Avatar
zbet commented on 2021-07-07 18:48:58 UTC

url : hxxp://lifestyledrinks.hu/wp-includes/cs2/TLR_17841011304.exe