MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2
SHA3-384 hash: 7cc6e3bc96a40d03843267cdf5f6dddc800b9e0051754d3c3205e2712c0dbb680eb64ff563955c06aa2902c8a30f1f36
SHA1 hash: 17b67b94986255ab0da130d0113330719af2abac
MD5 hash: 7d0fdfd383c5323cda8b2192141c6da4
humanhash: carbon-uniform-delta-equal
File name:PO#4500484210.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:724'480 bytes
First seen:2021-08-19 09:28:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'448 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:ZAQSsBEMuKQ1+3vx+IpOAjyjy+GbMDr5gCD0iJWH4C7lslSodbPAmK+At:LJBEZM3vqky0kWCIiMHlyldJ9At
Threatray 8'073 similar samples on MalwareBazaar
TLSH T1C1F4123D13EACF5BC3FC82B840958A8413F4C6C72493F7557E9288F868DEB9A0745A95
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO#4500484210.exe
Verdict:
Malicious activity
Analysis date:
2021-08-19 09:31:44 UTC
Tags:
trojan formbook stealer opendir
Link:
https://app.any.run/tasks/00ec3293-6a10-4be5-a955-1159015e8974

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180638/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/560f95ca-f802-46ac-9770-a595a558dba5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/835696
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 468128 Sample: PO#4500484210.exe Startdate: 19/08/2021 Architecture: WINDOWS Score: 100 31 www.nl-cafe.com 2->31 33 www.foxelpie.com 2->33 35 foxelpie.com 2->35 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 10 PO#4500484210.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\...\PO#4500484210.exe.log, ASCII 10->29 dropped 57 Writes to foreign memory regions 10->57 59 Injects a PE file into a foreign processes 10->59 14 RegSvcs.exe 10->14         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 2 other signatures 14->67 17 msiexec.exe 14->17         started        20 explorer.exe 14->20 injected 23 autochk.exe 14->23         started        process9 dnsIp10 43 Modifies the context of a thread in another process (thread injection) 17->43 45 Maps a DLL or memory area into another process 17->45 25 cmd.exe 1 17->25         started        37 oldhousechicago.com 45.83.86.245, 49723, 80 DEDIPATH-LLCUS United Kingdom 20->37 39 www.writingleagues.com 204.11.56.48, 49729, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 20->39 41 11 other IPs or domains 20->41 47 System process connects to network (likely due to code injection or exploit) 20->47 signatures11 process12 process13 27 conhost.exe 25->27         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 08:10:01 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2cr2s74yoyyixwrziyk5qwahzsyxfglxifg2xrzrso2tnvumgra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
067566cf129aad36652994eb3e80793577108e1308aabe012381ee2f12757fcb
Formbook
0edae7978eb5ab1138773892d324b8f03b4494db3a553045ab568a96f48051a4
Formbook
47e5619a856e90342ba0b34fb9f27ebd2bcf10b99b31f93aaabd819699922628
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
Formbook
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3
Formbook
93e54839118561584c3e736d6b03acfbec1373cfe5b9b9dffdb3d57e96be7d4a
Formbook
c3dad4eb294afef3dd4251826c1c1d25679c1044120e8bfaaea14e582be06357
Formbook
d4257c565fc08d4e0b30d06f2a6935c8882f3a76d6df228f513c13c6e8ee1e43
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
+ 8'063 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:n58i loader rat suricata
Link:
https://tria.ge/reports/210819-pmly96l91a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.mack3sleeve.com/n58i/
Unpacked files
SH256 hash:
8cff129ca2360c5eff1f061536fe264c44a88b66519fd7f3353f6fcfd2bc111a
MD5 hash:
f914c8bfed6d43272fb24a861f2ca041
SHA1 hash:
5bf498268bc92b4cd8463fed104bda65297dc794
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8fa080e6-2463-4089-ae28-f7e534923da9/
Parent samples :
067566cf129aad36652994eb3e80793577108e1308aabe012381ee2f12757fcb
c3dad4eb294afef3dd4251826c1c1d25679c1044120e8bfaaea14e582be06357
93e54839118561584c3e736d6b03acfbec1373cfe5b9b9dffdb3d57e96be7d4a
47e5619a856e90342ba0b34fb9f27ebd2bcf10b99b31f93aaabd819699922628
c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2
35e50a9d07903f1987a19115dfecdea79cec0844a04883e47106a2969d496ee6
a42fcf07a49813ee9169d0c3e69fd3b7dd98a2d3316d9861dcc8de4caa7487cd
c21a5d43b11091efa59562014f69a1996464c7e62b3656b56fad6b521c0d901b
35517ca8e7a66a88a7243724e6c374d0a4a82878792536087f746bf33ab2bddf
e5087564339ba6df9121621508233b27e2cac0ef94afa68a3dc777792bc18389
28c67cdcd4523ca934a1b72c6c8f5ed39874b6b8f66e3f679cb1095f859f6e83
db6988403e9bf2b750a78237f65394acafdd31173f013bbb789156d76c4d5eab
1575d06ca2a52c1ff60058d6fba43712c2926ecd3f640710ed8f96ec3aaf57da
112816e3c681b862208badf3069a7108fb356effaeab80d0235b613e653d9da5
65a1476fde2b2c018f8eaa5e96a77156baeb6f35bd46545db8745fa4fe0c4869
2579540806631bf43383d340bf445855f71106614b40854ca9cf33265a24f900
7f41f56fccf71bcb0c1f50d11e9d05a0342cd08a3a27d55d31cffe0ef95b2272
d99804145213694ea4b93c8acb43bf14d712b2043c247c703f88ebc97bf9c8d8
cc92eda0a8290172b29b51ff05fa235ffd0389fce74d0a40d0e5cc1e4af11497
d62663072daa5bde186f1d0c406225099d7ae372d00969a57016206c099ee1b7
55043fccaa51456c6d7b5aab6245b5cb74dde6cf3a6358f79aaddb81b6e320db
caee115a3bb2028fd81681b1fef997f87893c603dd42ca0932896029424ed1e7
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/8fa080e6-2463-4089-ae28-f7e534923da9/
SH256 hash:
1a15f31c7252bb7ee8949ec4a2eda26426515595f7a79d09589a9cb85ff6fb37
MD5 hash:
2517d8ef9e233c2b4f9c018dea8b0f85
SHA1 hash:
2c3d13991ae4ee9f9401dc120e027ef2923aead0
Link:
https://www.unpac.me/results/8fa080e6-2463-4089-ae28-f7e534923da9/
SH256 hash:
c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2
MD5 hash:
7d0fdfd383c5323cda8b2192141c6da4
SHA1 hash:
17b67b94986255ab0da130d0113330719af2abac
Link:
https://www.unpac.me/results/8fa080e6-2463-4089-ae28-f7e534923da9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c6851d4bfcc3b1845ed1ca30aec2c03e658b94cbba0a6d5e398c9da9b6b461a2

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180638/

Comments