MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15
SHA3-384 hash: d710f6f4bd8292b6b94eba33a55c03880e6df13fdbdf5b4e28c81e57d12f194e74959c1ace6d2726a6df0faceef442e4
SHA1 hash: 4a9d7fae5bf9d9b46da8ccb8e43532222931b955
MD5 hash: 724a19cdcca7335a2d374a04bbfa8783
humanhash: purple-sink-lamp-harry
File name:DEBIT NOTE_INA101970.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:780'800 bytes
First seen:2020-12-31 08:54:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:flBRXpkBLeZJiNHzPZo0ru7N5em3Xr8VVRq9MtESy9+g+s7uhfH/Yy3SD:flB5p9iNuqW533XrQL2cy7uhP
Threatray 3'290 similar samples on MalwareBazaar
TLSH 66F4DF6253481B6DF07D93359021050493F6EA1BD366DBBE7DDDA0DE0866B81CBB2A33
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DEBIT NOTE_INA101970.exe
Verdict:
Malicious activity
Analysis date:
2020-12-31 16:19:19 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7ef612bd-4217-4732-8d8a-9aab04387969

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.31727.17116.5011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572548
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335337 Sample: DEBIT NOTE_INA101970.exe Startdate: 31/12/2020 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 10 other signatures 2->52 10 DEBIT NOTE_INA101970.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\RjRkshJZlDOLj.exe, PE32 10->32 dropped 34 C:\...\RjRkshJZlDOLj.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp9F43.tmp, XML 10->36 dropped 38 C:\Users\...\DEBIT NOTE_INA101970.exe.log, ASCII 10->38 dropped 62 Injects a PE file into a foreign processes 10->62 14 DEBIT NOTE_INA101970.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.o-tanemaki.com 118.27.99.91, 49765, 80 INTERQGMOInternetIncJP Japan 19->40 42 bestgiftforu.com 34.102.136.180, 49768, 49770, 80 GOOGLEUS United States 19->42 44 5 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 help.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-12-30 10:32:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
16 of 29 (55.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypqzmtxyaji6los34qw6plaqws6sohhj7fyvztiivatlesaihmkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12f5c2c7448af208dca0fe6abcab98f5434b0a4bd19e78c27e2beee7e2fc9ec2
Formbook
24ab4616829b8c7bce068426184e9ff9ac006208ab47160890cb92a08f0bc885
Formbook
34cb445ac6f9c3dc60d465baa8ffbbca5abaf84fce4ff7075628e6cd1d41c559
Formbook
4934cd8a958e79e028578ec31e39538eadfa931f300c7b223511f04e050df18c
Formbook
65932f74489c422256f85b6603b1fd198b96af164d5453c11f40ee9aea5d9e2f
Formbook
7c3b63765f896c6e5faf093f002fa0f854994a1ea028a9abf53e7fdc8a3f18a4
Formbook
9335b040e7823155fcde32d1cfd5268db42e2f9c191e2144269800adb2a820d8
Formbook
cd3afb904bdbe5aa145aca40398017b76ef22f9fa85556c728f38744d57a3352
Formbook
ea8ea37e535102a446a8c2f88ef6a3c9277e996a32144449cde729bda80e16f2
Formbook
ef29187e2964b2254485750fc8f781ad288688167527c2a975072ae6e77dcef0
Formbook
+ 3'280 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201231-vzgm5p7l62/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ameeraglow.com/6bu2/
Unpacked files
SH256 hash:
e50b28171b70e7aa6689f9b59a445b9492936567f7987b64c1b4356a1fa8e109
MD5 hash:
fe8596427946d8683333aa3c3a2f0b18
SHA1 hash:
ce11c7800946e25f6781d0140c591a1483e69b45
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/28ebbd62-e5d8-425a-ad03-db4efdbd0368/
Parent samples :
cd3afb904bdbe5aa145aca40398017b76ef22f9fa85556c728f38744d57a3352
7c3b63765f896c6e5faf093f002fa0f854994a1ea028a9abf53e7fdc8a3f18a4
c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15
1be30259b1ef0db4c2f47994e89b30a3a4f78f29070b1c4dedb8101646d2b5ce
0ba0cfe605b7b1f5b3d528da4345630f504581be60dd5b73b232118a6aa37c43
a0de9d8eca22f1c44f3c295c94b09813543e1bba1def47bd1f0f37eea87c9b28
fae57c2f185899220dff608004ab571822fc14cc02aa7e30b1cd5db7be4beea8
SH256 hash:
5d0a9b3ad6f618e534f38ea52586a3df98e346f2353508108161bef1be1efb93
MD5 hash:
3eb7428575573a4a6ead3bcb187138f9
SHA1 hash:
f02085d887c437a85d445c57cad3f051a01b6c4a
Link:
https://www.unpac.me/results/28ebbd62-e5d8-425a-ad03-db4efdbd0368/
SH256 hash:
5a010415d7f614ce12d9a4f34f94c0ee9e09e620b5256a736920fdc8c66c9225
MD5 hash:
191a4cff66b72e3141a4b58dc881b6e7
SHA1 hash:
7982fed71ede1c9d9270145ea63ca19565dbadd3
Link:
https://www.unpac.me/results/28ebbd62-e5d8-425a-ad03-db4efdbd0368/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/28ebbd62-e5d8-425a-ad03-db4efdbd0368/
SH256 hash:
c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15
MD5 hash:
724a19cdcca7335a2d374a04bbfa8783
SHA1 hash:
4a9d7fae5bf9d9b46da8ccb8e43532222931b955
Link:
https://www.unpac.me/results/28ebbd62-e5d8-425a-ad03-db4efdbd0368/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip a5bc4cb5b6e9fb3faac1ba6e45d987757ab2bbb0266710f1302c0de9382f2162

Formbook

Executable exe c3e1964ef80251e5ba5be42de7ac10b4bd271ce9f9715ccd08a826b248083b15

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a5bc4cb5b6e9fb3faac1ba6e45d987757ab2bbb0266710f1302c0de9382f2162

Comments