MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81
SHA3-384 hash: eebc0b2c56a14292b2fc22ab7a066fd07e59c4c1f642706c08b1feb7d366252f51d0e7fd7616adabbff5ab15723a45c3
SHA1 hash: 8838c9b064de49abd25108ac0980834a25c07f01
MD5 hash: a55da69dfb865c222fc859499359ea80
humanhash: early-ceiling-virginia-blossom
File name:a55da69dfb865c222fc859499359ea80
Download: download sample
Signature Formbook
Create hunting rule
File size:806'400 bytes
First seen:2022-09-21 05:07:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:LrfeyxR5kJWqzpVBQ9a7gWSEdZdXXoTDT7rDoM:3eyxMlzpV5gWSgZdXYTrY
Threatray 14'484 similar samples on MalwareBazaar
TLSH T10F05CF141369C90BC8AAA934D8D2F3711DAC5DD5936FC24B4DDC3C7BF63A39868913A2
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a55da69dfb865c222fc859499359ea80
Verdict:
Malicious activity
Analysis date:
2022-09-21 05:09:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/deacc272-92f9-4808-bb9c-84d9208f259c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311900/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632a9c3b865ed83c011b4072/reports/114f57a0-771c-4978-9761-04b5f69674aa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7d33402-82c3-4e0e-bdb0-31fee44985ee
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074273
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 706815 Sample: ImsaFyOq7z.exe Startdate: 21/09/2022 Architecture: WINDOWS Score: 100 39 www.nidwate.info 2->39 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 8 other signatures 2->53 9 ImsaFyOq7z.exe 7 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\brwPfz.exe, PE32 9->31 dropped 33 C:\Users\user\...\brwPfz.exe:Zone.Identifier, ASCII 9->33 dropped 35 C:\Users\user\AppData\Local\...\tmp3B6D.tmp, XML 9->35 dropped 37 C:\Users\user\AppData\...\ImsaFyOq7z.exe.log, ASCII 9->37 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 9->59 61 Adds a directory exclusion to Windows Defender 9->61 63 Injects a PE file into a foreign processes 9->63 13 ImsaFyOq7z.exe 9->13         started        16 powershell.exe 21 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 13->73 75 Maps a DLL or memory area into another process 13->75 77 Sample uses process hollowing technique 13->77 79 Queues an APC in another process (thread injection) 13->79 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 41 atm.promo 51.161.122.78, 49731, 80 OVHFR Canada 20->41 43 www.teamkrohdental.com 164.155.155.199, 49736, 49737, 49738 IKGUL-26484US South Africa 20->43 45 www.atm.promo 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses netsh to modify the Windows network and firewall settings 20->57 28 netsh.exe 13 20->28         started        signatures11 process12 signatures13 65 Tries to steal Mail credentials (via file / registry access) 28->65 67 Tries to harvest and steal browser information (history, passwords, etc) 28->67 69 Modifies the context of a thread in another process (thread injection) 28->69 71 Maps a DLL or memory area into another process 28->71
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-09-19 05:28:49 UTC
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhjgjuj5kbyyyh2brkq7qz5dnxb5hxfdo5ixzrnbutdhn5f5nkaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3ca280d2c5ee9398048047d72c785b1927a7a09c1d4a637737b1d3902587f948
Formbook
401893d409c8453d7b0a4b7cd4ed000e61b32aa48a9e25a14f1d854fe0d86b7e
Formbook
4bbb39fcbea555b2ff359c3422f1058dcebd8e4cf0ae68d3b05f2198d57db9a8
Formbook
78d04244289fe215008b2c7d8937813b740228e5b60092287346e66e29c8182d
Formbook
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
Formbook
9e42f2ef4b7751e719a0496c372104cd3929a6a8a0e9b8d273ad0175d86cfd67
Formbook
b1248c9a9d2892a23cd6927ccfad438e360f5977e47c38d424522e7d67d10816
Formbook
f85bf1ff072c013d0f427e613aed83108fb8efa061897eda3a84c5c15b1722e9
Formbook
+ 14'474 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:tbgn rat spyware stealer trojan
Link:
https://tria.ge/reports/220921-fsj54afbf8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fec9ac39-9ebf-410c-a0e8-71ce79bc1bad
Unpacked files
SH256 hash:
12172b596c2a8c317b9bbedd356fa99c7c7c34f7ab17f39dcef5ba1331b15824
MD5 hash:
24240f5d6fad1252c777974b975e163e
SHA1 hash:
8b5c5ead03b45da7f58cbe72b1fc3822e679b575
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
Parent samples :
b6ce7090b0f8781ce164d6c29d43211ed3eaa9047c20e54d7f09bdb94b13c533
c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81
5b0bae068b7cfad0ecf1ff6dace393fffb20143b981c68effec661c0117cba5f
764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de
SH256 hash:
7bda8f63216b5ffbe397a65aef4312ab54123d8c1444ac88607d81dbbc3ae14d
MD5 hash:
9233072438fcd6e91981d271dbafeb16
SHA1 hash:
e86bfad291968f50f861787d7fde860646578e3c
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
SH256 hash:
003f71cd31d7b861fd73cee7d347111aaf47c439c4085c9d46cc3ff56ff67692
MD5 hash:
e13c0904acbf4ace700a232ca6f78b1f
SHA1 hash:
aa890f8559b789f7a5eefe16a9ce31b8a88c0c02
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
SH256 hash:
70dfa4c873605ab0fcdcb62be2a970da110535280d8dc88261edbe1ed2865307
MD5 hash:
d5b0f8aff064b3e828421b48efccd312
SHA1 hash:
724f4bc7ab4e08c45562748b739c8f7496a5ad8f
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
SH256 hash:
8fdb464dff3b18e753063c7fb739b3db36a6db23bdcb079deda16d29c978dffa
MD5 hash:
9f11b270b13e6c50be98e9d224751dbd
SHA1 hash:
06dea7a1e1ad87a4f80011bb340c55d23fbfd758
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
SH256 hash:
c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81
MD5 hash:
a55da69dfb865c222fc859499359ea80
SHA1 hash:
8838c9b064de49abd25108ac0980834a25c07f01
Link:
https://www.unpac.me/results/43fbe54b-2377-4e12-9698-2eb329e3302c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c1d264d13d50718c1f418aa1f867a36dc3d3dca377517cc5a1a4c676f4bd6a81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2260819/
Cape
Cape
https://www.capesandbox.com/analysis/311900/

Comments


Avatar
zbet commented on 2022-09-21 05:07:11 UTC

url : hxxp://208.67.105.179/ikmerozx.exe