MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6
SHA3-384 hash: 554c2b39ea7b4d0912f2037e80d6a04c221695f1142236d4c4ec791bb21cda37977ccba0ea69286a73a63bb8ebf62af2
SHA1 hash: 7833c87c9749b1c5d7c23da0ecee6237b076d2aa
MD5 hash: 46806b374dd368d6ca62cd8fea5a9623
humanhash: item-monkey-hamper-fish
File name:Proforma Invoice 2796_xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:289'398 bytes
First seen:2022-05-11 05:37:26 UTC
Last seen:2022-05-11 06:42:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:TOtIoed9HQ6tFGzk6MKDe4md+pEiVIevBFUT4d+wYJ:TOdgRQ2Gzk6b+0Ff+wY
Threatray 15'469 similar samples on MalwareBazaar
TLSH T18C5412412357D9A7F46C3F321C24363EBE9DFD1ACCA9560B77807995797230CA6D9220
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 015c3eae8ede1c21 (15 x Formbook, 1 x Loki)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269601/
Detection(s):
SecuriteInfo.com.Variant.Jaik.72878.21792.29427.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17082/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe lokibot overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/627b4b9c36c061db6e627e2a/reports/c42af2d9-426f-4b8f-a2a3-fa27ecf0da8a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/125eaf10-90c5-4d49-8d6c-520a49ca8f34
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991615
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624111 Sample: Proforma Invoice 2796_xlsx.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 32 www.foreignbills4u.com 2->32 34 pltraffic35.com 2->34 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 8 other signatures 2->54 11 Proforma Invoice 2796_xlsx.exe 19 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\qsvqjvk.exe, PE32 11->30 dropped 14 qsvqjvk.exe 11->14         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 14->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->68 70 Tries to detect virtualization through RDTSC time measurements 14->70 72 Injects a PE file into a foreign processes 14->72 17 qsvqjvk.exe 14->17         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 17->40 42 Maps a DLL or memory area into another process 17->42 44 Sample uses process hollowing technique 17->44 46 Queues an APC in another process (thread injection) 17->46 20 WWAHost.exe 17->20         started        23 explorer.exe 17->23 injected process10 dnsIp11 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Maps a DLL or memory area into another process 20->58 60 Tries to detect virtualization through RDTSC time measurements 20->60 26 cmd.exe 1 20->26         started        36 yeavaneu.xyz 213.238.183.121, 49803, 80 CENUTATR Turkey 23->36 38 www.yeavaneu.xyz 23->38 62 System process connects to network (likely due to code injection or exploit) 23->62 64 Performs DNS queries to domains with low reputation 23->64 signatures12 process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 01:48:26 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygvceu7ztyxtusltdmsf3rrlesl26obzfeibotyvgrqi4eczg33a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
045b2713fa49b215c38ab96d39f3f46b056c46391cec1c4772e3e15b6dd2005a
Formbook
0c66120f301e6e13d6b760c5a63f36aed5fd338626a5abfab3f3750b7302d992
Formbook
1c1307eefcccf13fa510b275d6286cae2b6d6fdd5c656d0fe5d5479c09df3310
Formbook
39992920b2ad02ba761413d61b8c4b7eef23827d26cb50b4236f97c5af7d4d33
Formbook
4a7aa26a59cccaa38181f61e413214368bd2cb3b8aa9c93c8694cc7d37591a3f
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
a88a1ec7699128b0e1f344c880b17b839927b7580e3bf7ece152dff57d719dfe
Formbook
a9915e261e819e5388755f6e20a93b55c096eb7b81b930c7212a77be734a97b2
Formbook
cad40a730db37853650add2b302af798fb0eb43cb266f51f78d927d487ad0f46
Formbook
eb3760a4e141a5124a475ade9acb42a90791e769250aa588d79958a4c2268985
Formbook
+ 15'459 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:r75h rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220511-gbp6fsfgg9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
1cd22bb1c297d1c08b2562a69333ab544cee40af9210d253da7e02e2b7053a10
MD5 hash:
709df3897ca56d5a3f0ccdfedb5ff682
SHA1 hash:
81b594862fd6fc739439e1b024957a5bb6dac289
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e2121f7-d51c-4d27-91f0-54381a873610/
Parent samples :
c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6
51ab17fdd212d1bae66a6ec70e44b220f02a33a7e0a2785c6e69f421d79d4cdb
SH256 hash:
e4b0e0f6a679d6283167e5a4c4573c8c4ce1abd767b10f2b90227029d6643d49
MD5 hash:
554175b9ec76bfbd8424caa079126f08
SHA1 hash:
f7479724d5d04b27d9159d0c6bd9f89e5b95f636
Link:
https://www.unpac.me/results/7e2121f7-d51c-4d27-91f0-54381a873610/
SH256 hash:
c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6
MD5 hash:
46806b374dd368d6ca62cd8fea5a9623
SHA1 hash:
7833c87c9749b1c5d7c23da0ecee6237b076d2aa
Link:
https://www.unpac.me/results/7e2121f7-d51c-4d27-91f0-54381a873610/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1aa2253f99e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c1aa2253f99e2f3a49731b245dc62b2497af38392910174f1534608e105936f6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/269601/

Comments