MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c
SHA3-384 hash: 892ab84e143e3c975dfd468b4f423473ba83a39f008f13926e8a5a9e096078dcf67c3535caea1259f0bd496df64238ef
SHA1 hash: 639246ec825c9353bb22842de1b9411e53be2f35
MD5 hash: f6666d2dc66bf27af205c487c6a017d5
humanhash: blossom-oxygen-cup-mockingbird
File name:IRQ2107799_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:444'553 bytes
First seen:2022-03-08 07:49:39 UTC
Last seen:2022-03-08 09:42:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:qGi4U177myi8hHrVAn7PuzIuctvYWKJFa/ft3a7CfzeE3Nw:R87c8xVy7GzxugPJM/ftECby
Threatray 13'891 similar samples on MalwareBazaar
TLSH T1E8940101F9E1D8B1C3C164750FE1D278E3A5CE8E8A625A075BD47F2F397F2179810AA6
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248098/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.21552.29874.24432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching cmd.exe command interpreter
Sending a custom TCP request
Setting browser functions hooks
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f18258d-0f3a-4a14-a346-dd7d9f59dacd
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952323
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 584806 Sample: IRQ2107799_pdf.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 36 www.thenuuway.store 2->36 38 thenuuway.store 2->38 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 6 other signatures 2->54 12 IRQ2107799_pdf.exe 18 2->12         started        15 explorer.exe 28 2->15         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\xzzepj.exe, PE32 12->34 dropped 17 xzzepj.exe 12->17         started        process6 signatures7 40 Multi AV Scanner detection for dropped file 17->40 42 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 Injects a PE file into a foreign processes 17->46 20 xzzepj.exe 17->20         started        process8 signatures9 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Maps a DLL or memory area into another process 20->58 60 Sample uses process hollowing technique 20->60 62 Queues an APC in another process (thread injection) 20->62 23 explorer.exe 20->23 injected process10 process11 25 help.exe 23->25         started        signatures12 64 Modifies the context of a thread in another process (thread injection) 25->64 66 Maps a DLL or memory area into another process 25->66 68 Tries to detect virtualization through RDTSC time measurements 25->68 28 cmd.exe 1 25->28         started        30 explorer.exe 1 124 25->30         started        process13 process14 32 conhost.exe 28->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 02:12:25 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzlrbdx4h54kgbjncxs7f2czggavm32fylb6gmleg67x2zrsbfoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
156b5c448e30912d7d21ca87fbb01a5c9006a3093c236e05809a4b4ecacd7400
Formbook
75a17cb26bd616c7d7b48b0b3add3033b6cd8656d8d20a0618734a3850072632
Formbook
83ade97bc0f693761767e687204e11ba7bda7956db304f4a63ca56cab467bd1c
Formbook
ace8d85c2f02bd3d531cd8d609d23c6d35588ecce52f40a8d129b39a6b1d7723
Formbook
bc09ecf5cb6364f4d053ec0420282fa6e7a1649a8a5ca2af2ca933aa27f8b90c
Formbook
ff3e94ded64b43f620ba549db99baa31abdd763209b60f7c9fc884b82cfac6d3
Formbook
+ 13'881 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:s1m4 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220308-jpdexsffel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c
MD5 hash:
f6666d2dc66bf27af205c487c6a017d5
SHA1 hash:
639246ec825c9353bb22842de1b9411e53be2f35
Link:
https://www.unpac.me/results/524205bd-762c-4ecd-99ee-843a250071fa/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c657108efc3f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/248098/

Comments