MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4
SHA3-384 hash: 0f1e661d6f5c4af967a4a5d898a7922f6e20d9e32a82d6dacbe570261c1f69538631affbdaacd523a1740f1d68636812
SHA1 hash: 6ec4c339b69162ccda60370cd7850c3173931f2a
MD5 hash: 637eb72d2e7294279e4c776e01e2d986
humanhash: potato-alaska-violet-iowa
File name:Proposta nº 140689 - Antonio Aurélio dos Santos e Filhos, Lda77.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:370'176 bytes
First seen:2021-08-26 19:55:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:D4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0PzR:MXe9PPlowWX0t6mOQwg1Qd15CcYk0Weh
Threatray 6'246 similar samples on MalwareBazaar
TLSH T158741212FDCA0CD6FAFBD0BA5DC6CF391D2EB2CB083547ACB598CD6C66541152CA18A1
dhash icon 74f4f090cae4e8e0 (5 x Formbook)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proposta nº 140689 - Antonio Aurélio dos Santos e Filhos, Lda77.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 19:56:55 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/16cd9bcc-74d6-472b-9b25-fde48bf6dc44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
Creating a process from a recently created file
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f107dadf-a43b-493a-bf2f-de1b563ea151
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840047
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472478 Sample: Proposta n#U00ba 140689 - A... Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 29 www.altshiftdel.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 5 other signatures 2->45 11 Proposta n#U00ba 140689 - Antonio Aur#U00e9lio dos Santos e Filhos, Lda77.exe 15 2->11         started        signatures3 process4 dnsIp5 37 a.uguu.se 144.76.201.136, 443, 49703 HETZNER-ASDE Germany 11->37 55 Maps a DLL or memory area into another process 11->55 15 Proposta n#U00ba 140689 - Antonio Aur#U00e9lio dos Santos e Filhos, Lda77.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 31 lacasitadeeithne.com 5.135.185.231, 49722, 80 OVHFR France 18->31 33 www.hoodshawaii.com 45.196.98.121, 49720, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 18->33 35 15 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-26 18:04:28 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrwb2phbg64flkdav4jg5cmgc5kqdxx4bi7wtrkhfp45sboalo2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f3dd18c562054da9edf8c427370c1455f5882d455ca21e8f2ed2cff9d70472c
Formbook
378a43b4576b7d9a7bf424295f83cee901ad8347351285a3dc0708d78312a4cc
Formbook
71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
Formbook
88ceee260ee9b4baa66e0aeb88821c2edbfebdb3f946cb8e1d3c4850ab0a0365
Formbook
b1d23d23f4cb253299dde04c81c51a3e375fc60c45965af013aefe47524202d8
Formbook
b3be486490acd78ed37b0823d7b9b6361d76f64d26a089ed8fbd42d838f87440
Formbook
b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1
Formbook
d98998e1d6649dba775358afffb1771be64bef20f490b5a97fca770f68bf6f2a
Formbook
f3037e5e047b6bfbfb11c453d1d836217e8c7ec606eacce69dfe31bf8b260821
Formbook
ff3168baecb6c9afcaeaf4d557d814522a197183c8930da3832465f2f5b3963b
Formbook
+ 6'236 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:ftgq loader rat upx
Link:
https://tria.ge/reports/210826-bk96hfcd1x/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.mambomakaya.com/ftgq/
Unpacked files
SH256 hash:
bc9db992dabb52cfdd901b2f8dc177406dce702e246b078c3618b3009b4c28ad
MD5 hash:
4b6ed20f682b5cfb8762863efd4c06d3
SHA1 hash:
08fc07f7ef4241cf093444c46b519c33b0fdb3e0
Link:
https://www.unpac.me/results/80f24e77-3a3e-432b-b3c8-1630a515bc4c/
SH256 hash:
c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4
MD5 hash:
637eb72d2e7294279e4c776e01e2d986
SHA1 hash:
6ec4c339b69162ccda60370cd7850c3173931f2a
Link:
https://www.unpac.me/results/80f24e77-3a3e-432b-b3c8-1630a515bc4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c46c1d3ce137b855a860af126e8986175501defc0a3f69c5472bf9d905c05bb4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments