MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6070d16218077441b9faa6ed769b764e27d7a506c2eea9ee98527d88f2c8eae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6070d16218077441b9faa6ed769b764e27d7a506c2eea9ee98527d88f2c8eae
SHA3-384 hash: 72599134ef401e1780f68166a8be6197ab83cba4af8270700821c6cdec6a2dc97121357f5a33b66e853be912a2c16113
SHA1 hash: ef97665d6d8a2ca89d5ab8b621e059e9d1fc908f
MD5 hash: 5700f09933c40244225e5cd14da128c3
humanhash: fix-crazy-march-bacon
File name:POFKEC-16112022.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:531'968 bytes
First seen:2022-11-16 05:26:37 UTC
Last seen:2022-11-17 12:41:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:nXs67Rdzh6/1BfqQjd8NKlDgUuzrCACxpvoYyQb4kmILN4NmR:nXsKR9MvDjd8ElDgfSACx1M6Ew
Threatray 589 similar samples on MalwareBazaar
TLSH T1E4B412C427BDEBB3DD5E0FF605C134424B37B6386A10C2C68A8956D6189BB15C8AE7D3
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
POFKEC-16112022.exe
Verdict:
No threats detected
Analysis date:
2022-11-16 05:27:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dadc3bbf-b149-4967-8ffb-4f2047830487

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/334630/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.8424.6297.3059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Launching the process to change network settings
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637474a6f75d59fef0b98735/reports/a2d6488d-acb5-4ac3-bcaa-a0877a6b0e13/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa57327d-1134-4fa2-8bdc-0c2915f802ef
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114515
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747211 Sample: POFKEC-16112022.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 4 other signatures 2->42 9 POFKEC-16112022.exe 1 2->9         started        process3 file4 28 C:\Users\user\...\POFKEC-16112022.exe.log, CSV 9->28 dropped 52 Writes to foreign memory regions 9->52 54 Injects a PE file into a foreign processes 9->54 13 CasPol.exe 9->13         started        16 CasPol.exe 9->16         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 18 NETSTAT.EXE 13->18         started        21 explorer.exe 13->21 injected 64 Uses netstat to query active network connections and open ports 16->64 66 Tries to detect virtualization through RDTSC time measurements 16->66 process8 dnsIp9 44 Modifies the context of a thread in another process (thread injection) 18->44 46 Maps a DLL or memory area into another process 18->46 48 Tries to detect virtualization through RDTSC time measurements 18->48 24 cmd.exe 1 18->24         started        30 www.6527.vote 103.87.241.42, 49703, 80 ONL-HK-AS19ChunWangStreetTseungKwanOIndustrialEsta Hong Kong 21->30 32 www.homes-collection.com 188.114.96.3, 49701, 80 CLOUDFLARENETUS European Union 21->32 34 4 other IPs or domains 21->34 50 System process connects to network (likely due to code injection or exploit) 21->50 signatures10 process11 process12 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6070d16218077441b9faa6ed769b764e27d7a506c2eea9ee98527d88f2c8eae/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 02:25:42 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yydq2frbqb3uig47vjxno2nxmtrh26sqnqxovhxjqut5rdzmr2xa._file
Verdict:
malicious
Similar samples:
059c47f1fb93e65580c59415a40a376c8fc3168f13282f2f5efddd4c54ce0fac
Formbook
2c735406da96a49a4d79b1cfca607013dff88e49c5d1526e5a04f4a32111d785
Formbook
43e7901e0f50ea1ad4a609f04769dd0a3384443f685090e370e1d728595fc85f
Formbook
4fcd149028440c9596e308a70da693c31b1c438e08d12917b17b871dcff52e20
Formbook
623c410c316befe7e6cf4d8459bc0d112d7462b40dd31c524f10f268f1ef378e
Formbook
c4a2d1a93c9da2d51ae8d0ef88b1dbf6fecd931714d9a09221c4f928f6861ce3
Formbook
e52021bd99d1c345847e0a9dd60ce355a9580a154a1420bf4deac9f327519568
Formbook
f0c54f3f1717c1039dacdf7c4b63200d6f027e5a622c6eb65636d2089aa4b1c0
Formbook
+ 579 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:th47 rat spyware stealer trojan
Link:
https://tria.ge/reports/221116-f5eq5sdb7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7db3a894-e0c1-4006-bbc2-3db33c64301d
Unpacked files
SH256 hash:
c6070d16218077441b9faa6ed769b764e27d7a506c2eea9ee98527d88f2c8eae
MD5 hash:
5700f09933c40244225e5cd14da128c3
SHA1 hash:
ef97665d6d8a2ca89d5ab8b621e059e9d1fc908f
Link:
https://www.unpac.me/results/e8ce3d81-239b-4a77-a8b7-e4624cffb626/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c6070d162180/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c6070d16218077441b9faa6ed769b764e27d7a506c2eea9ee98527d88f2c8eae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 3ed10b81b38e4516bdd1257cb2252bf7a8fffbd3b503bcc9910b2a5d0bf5996e

Formbook

Executable exe c6070d16218077441b9faa6ed769b764e27d7a506c2eea9ee98527d88f2c8eae

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/334630/
  
Dropped by
SHA256 3ed10b81b38e4516bdd1257cb2252bf7a8fffbd3b503bcc9910b2a5d0bf5996e
  
Dropped by
MD5 0819c6060cc1781c9378e0a68206bfa4

Comments