MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b
SHA3-384 hash: 5db7daf32c1013f34825bc0392be335a84909be17cd40dbe9b372c99a703311614e4d4d096f992e68c14b9a882508d1a
SHA1 hash: 26e09b1f04394ff24d59c353c0d46b54afd8d363
MD5 hash: a5964d858bf1688f2de5746ec08dabf5
humanhash: hawaii-bravo-alabama-bulldog
File name:PURCHASE ORDER 72121.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:676'864 bytes
First seen:2021-07-23 02:08:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:JPKyvUIZbViCZFibSwS0c33HGO/ozaHREDws0/nFk9ba1afuf:pRvDBiCqbSwwnv6eAws0/nF8a12o
Threatray 6'735 similar samples on MalwareBazaar
TLSH T130E4F179732BA348ED348BF52C65E1A22BBB712A261DC63C1E88D07CBD7277C1AD0551
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173474/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94ef3f2c-a0e0-41b6-8c2c-c3e5403421e7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820498
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452908 Sample: PURCHASE ORDER 72121.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 35 www.xn--seranderturzm-ebc.com 2->35 37 www.unitronicdealers.com 2->37 39 unitronicdealers.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 6 other signatures 2->53 11 PURCHASE ORDER 72121.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\...\PURCHASE ORDER 72121.exe.log, ASCII 11->33 dropped 63 Injects a PE file into a foreign processes 11->63 15 PURCHASE ORDER 72121.exe 11->15         started        18 PURCHASE ORDER 72121.exe 11->18         started        20 PURCHASE ORDER 72121.exe 11->20         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 22 explorer.exe 15->22 injected process9 dnsIp10 41 ikonflorida.com 45.79.58.242, 49745, 80 LINODE-APLinodeLLCUS United States 22->41 43 appackersandmoversbengaluru.com 144.76.86.112, 49742, 80 HETZNER-ASDE Germany 22->43 45 5 other IPs or domains 22->45 55 System process connects to network (likely due to code injection or exploit) 22->55 26 wscript.exe 22->26         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 00:58:25 UTC
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygweyufhrocygzigfxdrvh7f6or33443jweqfmpygepsykugazfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36f75bca9696563fcf8d51cc8cf33685de3caa6618d2c2e61560349a4179188b
Formbook
47c26ad6ad20462404f1f13c5be9024a1f602452aca247b7c6de059a09dfa3ee
Formbook
61b36d9d2e055b9e7be872cd42f44e78e9abfd505e5bc4e719d5b9801200d99e
Formbook
68fa77befde4e147cc7bc2fb142306a94245adb49c4ccca175f12f29414ce3d1
Formbook
a29d5d9dae6f9937c1f0dcf733031f3478d74f326c1913727eb9e65e53c82ab9
Formbook
a50394b33bb3fcf6c7413c2d5ba949329430d46b8e8870a9e26b8c65abd8598d
Formbook
dcea3ce074a9cc06d03641b052fe3a3f81abb72c480de228b8664dade74c4dce
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
e38f60c9ff210681232148c43db51f11967e6360940b50a646c8edb472fb1c42
Formbook
f5a2547fc06aeb5416ee308668f2091e0e21c07b57aa6f4e5db47e06e6899a73
Formbook
+ 6'725 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210723-a32d8jp48x/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.appackersandmoversbengaluru.com/p4se/
Unpacked files
SH256 hash:
5b968378eba418b941868c054f6cbbff36243071fe1f9b8ecd93ac4c007d39bf
MD5 hash:
edf0022d128145c693ee9df21e66198e
SHA1 hash:
10807c044936d4c0b5f42ddfaf10f53f899745cd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1621644a-4c90-4e91-827e-8b2eee9c6f4f/
Parent samples :
c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b
89fd73d17d825a1e661f69b41ffd9fcd9f5a3d044159763cbc82ffd0210eb78a
6f42be9adbf8a5232ff93cbbd74b5616319ed32863c9b5cc9f6fb9383d618151
6e2f5b008bdbf0b7c7c81649b7097bba3b1a6937b59c6e8eb20f1882707cfbbc
b01e5b6141f0e4c548007910ef1a52d01aa5402e8cc8751b8ad7571a9ee76d00
317613289fb0cce8c301f63922883b30d54bbcdf1cb01bfa772244e03a07dfda
1e46ccc09a1bbcf427da5d02951660cf45cdf9b809884988157d680888bf8796
6137b2968c98b110deef11d69b037a5d541b39b930628d12881b6daa5bdb9bb4
29f3a920994225a5424f5e1710a9980710e4330f85aeade18182b5fbd5f2a354
1b4d3e69b4e2e533522d48f27a0137e34b92b01e36d348c12f0df4371ed7d573
83e85200231274906ae296a4f8842215e73cbba4c5cf8b59a7f83e5f2fd49887
bf676c0c2a4db1ca2df33c677b9fa836fb7bbd13d5021fcdf5bfeb2167674661
af5c86dda09842ee8b442cea3c224c8e0cea387406a55f1dac5abb32d6aa1b8a
05a53e2be383e030568c52470368baef5ea6da1bf6a27bbc6921173457c10bf7
SH256 hash:
3f8fac7caf9dbcd783afb1db979be1bd2beabd94621d5798fc565758bfdb0fda
MD5 hash:
7d2d031a26f022f904418ef6f07e4742
SHA1 hash:
ba8e3f20066b44ca46d1a78eadda6b6f7ba60723
Link:
https://www.unpac.me/results/1621644a-4c90-4e91-827e-8b2eee9c6f4f/
SH256 hash:
66e7a1f0c14cff1d201e738e08e73daca146ce0e60f8bcacf1af4b23089580ff
MD5 hash:
75f152d3fc7d5e8ee689ba8c1f19c8d9
SHA1 hash:
58abbfa17a81cdbd67f3318744f5c9513d42ae41
Link:
https://www.unpac.me/results/1621644a-4c90-4e91-827e-8b2eee9c6f4f/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/1621644a-4c90-4e91-827e-8b2eee9c6f4f/
SH256 hash:
c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b
MD5 hash:
a5964d858bf1688f2de5746ec08dabf5
SHA1 hash:
26e09b1f04394ff24d59c353c0d46b54afd8d363
Link:
https://www.unpac.me/results/1621644a-4c90-4e91-827e-8b2eee9c6f4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c1ac4c50a78b858365062dc71a9fe5f3a3bdf39b4d8902b1f8311f2c2a86064b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/173474/

Comments