MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2156cff89f8a8d7c21326afe3f22b6a152bdf92f1a04475da3488236d12698e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2156cff89f8a8d7c21326afe3f22b6a152bdf92f1a04475da3488236d12698e
SHA3-384 hash: 3c4aec5bce9696b46b9bb3d97d22da77ba807991bbb634e82006feab1324437272ee05268493952d70f87939aea43f2b
SHA1 hash: 90d968a8140873cb2b590d778a7cbe82a66d3be6
MD5 hash: 2bd55038af86bdd38dc082d41562ce78
humanhash: florida-arizona-beer-texas
File name:20211009876263543_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'047'552 bytes
First seen:2021-09-10 15:15:27 UTC
Last seen:2021-09-11 09:30:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:l21iioup5d1PEohV3rntDXuQ0pEtF0hqoaTapo2nk4DbF53e0IUFLF:lfETFBTu54w5
Threatray 12'551 similar samples on MalwareBazaar
TLSH T1B7255B183685EF1DD03F9E76C9E059F19627BD22EE07D3CB20823F497A3A6868D40567
dhash icon 0f519373d9cc750b (107 x AgentTesla, 20 x AveMariaRAT, 5 x Formbook)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20211009876263543_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-10 15:15:50 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/32f5097c-26cf-46ef-b302-36b0b8278657

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186930/
Detection(s):
Sanesecurity.Rogue.0hr.20210910-1804.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac0cbcc5-15ba-4c6e-9117-4a03bea3cde3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848887
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481317 Sample: 20211009876263543_pdf.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 9 other signatures 2->52 10 20211009876263543_pdf.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\iihera.exe, PE32 10->32 dropped 34 C:\Users\user\...\iihera.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpE17E.tmp, XML 10->36 dropped 38 C:\Users\...\20211009876263543_pdf.exe.log, ASCII 10->38 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 10->62 64 Tries to detect virtualization through RDTSC time measurements 10->64 66 Injects a PE file into a foreign processes 10->66 14 20211009876263543_pdf.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 74 Queues an APC in another process (thread injection) 14->74 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 thecasualflipper.com 142.4.198.208, 49782, 80 OVHFR Canada 19->40 42 www.impelyourdreams.com 217.160.0.116, 49777, 80 ONEANDONE-ASBrauerstrasse48DE Germany 19->42 44 6 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 msiexec.exe 19->25         started        signatures10 process11 signatures12 56 Self deletion via cmd delete 25->56 58 Modifies the context of a thread in another process (thread injection) 25->58 60 Maps a DLL or memory area into another process 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c2156cff89f8a8d7c21326afe3f22b6a152bdf92f1a04475da3488236d12698e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 15:15:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yikwz74j7cunpqqte2x6h4rlniksxx4s6gqei5o2gsecg3isngha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
013ae675443decd1083ec918ee62b59dfc8b3e17e41f96f4be21c3260a2f372b
Formbook
24b95d63fe3c224c1ce3c814675da3c06469c805bb6158520f1a9014e63a4af2
Formbook
2ce70c12c5b8806fc6b3e507c5ed406599045b20688b456db124b1b685da60d0
Formbook
383996c33dfd88054e6600a885efa9fe7215f81c35eed57dc09fd9321b1ea634
Formbook
70e7c5966ac86d48e0519f9b2b34703d2915b603836f4de0be2a2badddd258e7
Formbook
8b520ce0de0ae8276e9c19053cae465454c94c963834166cfe5b2eb43f6050e4
Formbook
b4426970af41450092a479c0f387845540d168f2b3b3f42a1998f83b01997cee
Formbook
b61e941f98080f431ec35c165703e2d18957fcc2b386286eeaa7a274ded8e0b3
Formbook
c85eab78147f680f396925b005564604d84bcff97fec4bfb27e13071e791d985
Formbook
cac5a5a1cd604a792b9231fb65fe38110c631873cfa834bf4f43b9418d1ec17f
Formbook
+ 12'541 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:zrmt loader rat
Link:
https://tria.ge/reports/210910-snfnbsace8/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.desertgardenrealty.com/zrmt/
Unpacked files
SH256 hash:
2c02a78626378ea6e89e6102945d74a1d6766dcf5f25886fdd3d551d0f2e7b88
MD5 hash:
fa59ff8ce8ace5ed9463d3e90a7bcb65
SHA1 hash:
e5eb300c150b4a14be1ca8c5daf8f74c17ec952a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad93f824-576b-4ee6-bfed-b4765c743f47/
Parent samples :
895ac6ed45076477649b8b8fd01976b9753ae33cfa350b7dbdf27a6f1bb154a7
c2156cff89f8a8d7c21326afe3f22b6a152bdf92f1a04475da3488236d12698e
eb71f32d26de060a63615acc43153a83f87570e0edb43bc4e7b47caf45c34eee
ea9994b2d9543049c1bbd710592146c621673693508f6674190613625e68d9f2
684c1789d8d0a6fa2c5b2e0e3d408007f972533b853f4cd7420689c61209bbcc
SH256 hash:
ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587
MD5 hash:
43ababb6b0a02907aad43084f12b10d9
SHA1 hash:
b60ba705891d5a666d64300181b475a46714ffa8
Link:
https://www.unpac.me/results/ad93f824-576b-4ee6-bfed-b4765c743f47/
SH256 hash:
f787b5f68c6f22e338e44c0610a37b96282886393e91c9286d95b98d06183132
MD5 hash:
6be987e5d9ba1bbc90b0e101c637b0fd
SHA1 hash:
994479dd741ee9abeec79e1c3948efc8912eada0
Link:
https://www.unpac.me/results/ad93f824-576b-4ee6-bfed-b4765c743f47/
SH256 hash:
c2156cff89f8a8d7c21326afe3f22b6a152bdf92f1a04475da3488236d12698e
MD5 hash:
2bd55038af86bdd38dc082d41562ce78
SHA1 hash:
90d968a8140873cb2b590d778a7cbe82a66d3be6
Link:
https://www.unpac.me/results/ad93f824-576b-4ee6-bfed-b4765c743f47/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c2156cff89f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2156cff89f8a8d7c21326afe3f22b6a152bdf92f1a04475da3488236d12698e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/186930/

Comments