MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598
SHA3-384 hash: b683d67d762210b6924f62ca68912854ea457cb380b1ea48e4f44c0a900310bf8acac4f1ba37c93c758cbd43d7bcd3af
SHA1 hash: 30b2254a64a706df7ccd3d2df122a606beacd186
MD5 hash: f81ddb2074613d44e6ec49e156fef866
humanhash: pip-monkey-beryllium-leopard
File name:f81ddb2074613d44e6ec49e156fef866.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'113'600 bytes
First seen:2021-02-01 09:49:22 UTC
Last seen:2021-02-01 11:39:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:23P8tsRCCgVZibTh+xsWrj6sjh9u+J2t4:23P4sxEZ6TkqWqsF9u+Qt
Threatray 3'671 similar samples on MalwareBazaar
TLSH 60357D0162A8D509F9BADBB161641214CBFDBD27C377C78DE052746E2EB2381DE4B31A
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Fature.xlsx
Verdict:
Malicious activity
Analysis date:
2021-02-01 07:53:05 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader formbook trojan stealer
Link:
https://app.any.run/tasks/72fa63d0-e8ec-4a24-9642-a8e98df4bbc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114456/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/595224
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346651 Sample: M1t8Jk185a.exe Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 31 www.shopcamaci.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 6 other signatures 2->45 11 M1t8Jk185a.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\M1t8Jk185a.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 M1t8Jk185a.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 daddydrinksbeer.com 108.179.234.217, 49766, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 www.chrismcglothlin.com 119.28.6.251, 49762, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 18->35 37 6 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-01 09:39:07 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yybsw2eokzuzqmhjvxaqa743yalwbzt3dzvgvyln2ecf7lqmuwma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
017656cf14c2df80d45162895c9f28311beeff0fe3d8fda25cfd08e928e8c526
Formbook
04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8
Formbook
20eb20f9b9fa4186e31943fb30235c77fd0816a5e6b6fc1ac2a9144b46672e3d
Formbook
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
Formbook
52a4e8e4fa40648531d4195cd66facc83b27d62f9183a12bc6b756628ffb0a3a
Formbook
5844c46897bed7fe14055a67a96610d8f81d68af270d698a600bb234bf813653
Formbook
73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
Formbook
b4028a328ab3e533631461c92c11f0594dbc1311ccb259bfe7e37c325c31a1d5
Formbook
e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae
Formbook
f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
Formbook
+ 3'661 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210201-a3xt2gnfrx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.riseportugal.com/rse/
Unpacked files
SH256 hash:
e1890284dead5d30ac2be56493f5aba3c19651e7883963597b3a481e48de66f2
MD5 hash:
9b10c521802014406b6da4742e66d9f8
SHA1 hash:
60ddca9311ad348d11f82fb89ec5b0c2494f8735
Link:
https://www.unpac.me/results/b3e09fdb-9311-496f-8834-17f39651cc8b/
SH256 hash:
e03b3e2442ae5479c4731e4679bc74f6ebdfef742a5cb8f59091d4dbb64cacb1
MD5 hash:
ddedbcc173e58bfa1c0a9e9bd81d6369
SHA1 hash:
b704c9800a0ca1dfc416bc671cc3dfdfdbf34a16
Link:
https://www.unpac.me/results/b3e09fdb-9311-496f-8834-17f39651cc8b/
SH256 hash:
ad0d7f8714db525dc510e17055745db40c5ed0233f9a8ce459063aa42fd337ff
MD5 hash:
4165ade71d808852b4f961ae246e68cb
SHA1 hash:
a96f82313454a8f50de508c5c399d789c063f932
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b3e09fdb-9311-496f-8834-17f39651cc8b/
SH256 hash:
c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598
MD5 hash:
f81ddb2074613d44e6ec49e156fef866
SHA1 hash:
30b2254a64a706df7ccd3d2df122a606beacd186
Link:
https://www.unpac.me/results/b3e09fdb-9311-496f-8834-17f39651cc8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/986133/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114456/

Comments