MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a
SHA3-384 hash: 5929062639d05114828bc9f8111fdb5e72ffa59dc51aab5359b31b2d772595fb45440a7c0715a2963233df141f0c2848
SHA1 hash: 845b6e0ba3c7d0e08953cd1b92c5525ce2f6f46e
MD5 hash: a6d64ec4bde4dd02543e7b751fc32384
humanhash: violet-princess-twenty-avocado
File name:a6d64ec4bde4dd02543e7b751fc32384.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:284'719 bytes
First seen:2022-05-12 07:40:11 UTC
Last seen:2022-05-12 08:57:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:LOtIOhyqCWRY3xCs5vaxu78YYsacYToLpFMy3SOhLFNAq:LOLhyqoB/a0WcYT+pSqRFNAq
Threatray 15'666 similar samples on MalwareBazaar
TLSH T16354121123A4D967D6A242711C726723CEFDC72104A1DA1B1768AF6FFD7B1C0962E393
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269970/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17284/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/627cba1d804c0977d3e5000f/reports/b3242a06-f6d2-4424-9ecf-aa98963db638/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6f5bd264-c857-404c-ba4f-fff538efe49a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992468
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624977 Sample: 4Dsk8TtPZB.exe Startdate: 12/05/2022 Architecture: WINDOWS Score: 100 34 www.artcopyright.digital 2->34 36 artcopyright.digital 2->36 38 www.touchezixun.com 2->38 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 5 other signatures 2->60 12 4Dsk8TtPZB.exe 19 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\ijtpp.exe, PE32 12->32 dropped 15 ijtpp.exe 12->15         started        process6 signatures7 72 Multi AV Scanner detection for dropped file 15->72 74 Tries to detect virtualization through RDTSC time measurements 15->74 18 ijtpp.exe 15->18         started        process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 18->46 48 Maps a DLL or memory area into another process 18->48 50 Sample uses process hollowing technique 18->50 52 Queues an APC in another process (thread injection) 18->52 21 explorer.exe 18->21 injected process10 dnsIp11 40 www.changemaker2021.com 188.114.96.10, 49797, 49799, 80 CLOUDFLARENETUS European Union 21->40 42 www.voteforjeffeversole.com 21->42 44 5 other IPs or domains 21->44 62 System process connects to network (likely due to code injection or exploit) 21->62 64 Performs DNS queries to domains with low reputation 21->64 25 wscript.exe 21->25         started        signatures12 process13 signatures14 66 Modifies the context of a thread in another process (thread injection) 25->66 68 Maps a DLL or memory area into another process 25->68 70 Tries to detect virtualization through RDTSC time measurements 25->70 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 07:41:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfw43xl3sua3zyzewsojsbsiro32krtxre4bozuadx6xzywrhina._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
181b33c4cba7fc9aad25283ed5fce1f171f8fb64af1591bfe5c38285a7091956
Formbook
19a007d4980b99ea32ee2d9feb1c7479ee4c7b165b159fd4fbd33622b661009d
Formbook
37708373f6b4deb76e61c7a9c65200bba9f9d7ca7ebcd82d09242dd9231fa072
Formbook
44efc16357b00b2bd0300a07290a4000bbbce558771f5efbaa74909dcf8eb34f
Formbook
6a3848cae066ae561f1d72908524838d32ad7c95bc18eb155d44211b2fac44fd
Formbook
c07e69fb84b50e32be6d2ea9af4f052fdbf2efa4ea6fa1e21921a0642fbf802d
Formbook
cb211078773205b00dfbb29da746dde5cd2a3c25f8e141da84fa8d07379ed778
Formbook
e473eec04a43a280723367337e0ff1083ed5f7dea858173dff9ff4c6c8a89029
Formbook
e649ef1ecf0e0daefe140fa78271435271c8d55607f8365ddef4d94b66bfdfdd
Formbook
f12b517eabc8adbbbed4d0117f70bd42e00e59b3a02c8dab3d4ab95d6e1ada0c
Formbook
+ 15'656 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:b86g loader rat suricata
Link:
https://tria.ge/reports/220512-jh4njadhfq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a
MD5 hash:
a6d64ec4bde4dd02543e7b751fc32384
SHA1 hash:
845b6e0ba3c7d0e08953cd1b92c5525ce2f6f46e
Link:
https://www.unpac.me/results/fb8f4e04-7175-4732-b71b-1f172c217f13/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c16dcddd7b95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2188261/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/269970/

Comments