MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
SHA3-384 hash: 1a29a80516a429ffe2ceb36dd7d0efaa6dea86a24ee506541dad307e7728bca5fb175225e6b3cedd1f3abf937dacaf5e
SHA1 hash: c89df349f144a0cce0dce3a47efc5a9e37b46d56
MD5 hash: 3e9eee8807a79ad0134c1a6402927ffa
humanhash: island-robin-cup-hamper
File name:rápida confirmación.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:718'336 bytes
First seen:2022-01-13 22:39:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d4d44b461c7d54870dac4fd24262a9a9 (2 x Formbook, 1 x DBatLoader)
ssdeep 12288:HB+Wk51M2qz6umSUAXwF1Oh99ojWa713rCOKGbrq9ZTu7dK+/3yjc4uBd8QWOl:hnK66umSUAXweh99oj3713rRS9ZJ+fyu
Threatray 13'052 similar samples on MalwareBazaar
TLSH T1B7E49DEFB360C433D3369578FC1696B858267ED12F2498872ED47E5F3A38290B41A593
File icon (PE):PE icon
dhash icon f0c0db6c6a7af0fc (24 x Formbook, 6 x QuasarRAT, 5 x RemcosRAT)
Reporter Racco42
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rápida confirmación.exe
Verdict:
Malicious activity
Analysis date:
2022-01-13 22:45:12 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e4f76a93-29ee-4e09-b3ea-316d998545a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219175/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.32108.31229.2281.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching the process to change network settings
Launching cmd.exe command interpreter
Searching for synchronization primitives
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4141/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook keylogger zusy
Link:
https://www.filescan.io/uploads/61e0aa551883c5ba4ec9497f/reports/1bf75e15-09ce-4dce-838a-3c5d43c91388/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfe9a6d1-80a4-4e4f-9ee3-4cf025f9e1d4
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920483
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 552958 Sample: r#U00e1pida confirmaci#U00f3n.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 5 other signatures 2->59 10 r#U00e1pida confirmaci#U00f3n.exe 1 17 2->10         started        process3 dnsIp4 51 cdn.discordapp.com 162.159.130.233, 443, 49759, 49762 CLOUDFLARENETUS United States 10->51 41 C:\Users\user\Contacts\Wktcfujipy.exe, PE32 10->41 dropped 43 C:\Users\...\Wktcfujipy.exe:Zone.Identifier, ASCII 10->43 dropped 77 Writes to foreign memory regions 10->77 79 Allocates memory in foreign processes 10->79 81 Creates a thread in another existing process (thread injection) 10->81 83 Injects a PE file into a foreign processes 10->83 15 DpiScaling.exe 10->15         started        file5 signatures6 process7 signatures8 91 Modifies the context of a thread in another process (thread injection) 15->91 93 Maps a DLL or memory area into another process 15->93 95 Sample uses process hollowing technique 15->95 97 2 other signatures 15->97 18 explorer.exe 2 15->18 injected process9 process10 20 Wktcfujipy.exe 13 18->20         started        24 Wktcfujipy.exe 13 18->24         started        26 colorcpl.exe 18->26         started        28 3 other processes 18->28 dnsIp11 45 162.159.133.233, 443, 49763, 49764 CLOUDFLARENETUS United States 20->45 47 cdn.discordapp.com 20->47 61 Multi AV Scanner detection for dropped file 20->61 63 Writes to foreign memory regions 20->63 65 Allocates memory in foreign processes 20->65 30 DpiScaling.exe 20->30         started        49 cdn.discordapp.com 24->49 67 Creates a thread in another existing process (thread injection) 24->67 69 Injects a PE file into a foreign processes 24->69 33 DpiScaling.exe 24->33         started        71 Modifies the context of a thread in another process (thread injection) 26->71 73 Maps a DLL or memory area into another process 26->73 75 Tries to detect virtualization through RDTSC time measurements 26->75 35 cmd.exe 1 26->35         started        37 explorer.exe 155 26->37         started        signatures12 process13 signatures14 85 Modifies the context of a thread in another process (thread injection) 30->85 87 Maps a DLL or memory area into another process 30->87 89 Sample uses process hollowing technique 30->89 39 conhost.exe 35->39         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 22:16:42 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4au5xhoyd56mobrfxhmrogr6cs37cg5fax4rlu6yxjxlaqne4gq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36b986f7d277f114be1166140b08a4ddb6300274d6365ea589fe129105445de7
Formbook
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
Formbook
4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95
Formbook
6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0
Formbook
6bd5fda97afe76f3d6cc66ffac1350e77256315e151364355af9ee6d56be8ebf
Formbook
6d722da095632d50aa49b4749a4e7db323889aee6fad1ecc2c5dd999e63c645e
Formbook
9050768f69225078f05d535401510a5b361dd071430e40639e869c7247621908
Formbook
d1a716b9f2d3c4be4527b077dd5da726ffb4008935c7223116a3aa64b4f5f8f0
Formbook
deac58296321ec67026dc3de7275137fbdf1775e28fbd9e4d3bf528be7bc95ff
Formbook
f80dd0bf7402bebd03d303c97c8dd3f921d3e923a2521f4a2af2e4bf3c288aa1
Formbook
+ 13'042 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:ariv loader persistence rat trojan
Link:
https://tria.ge/reports/220113-2lm43achf8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader First Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
Unpacked files
SH256 hash:
5852f167948b3cf3fcd175ed0acc3cd43456ab0aecae4ac68121bde1906bcf39
MD5 hash:
bb66163c0a181098d801f3d6b775f73f
SHA1 hash:
fe4adcf4bf6146cac5b4eb192c99fc0cebba323b
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/263535de-f9bb-4495-b77b-742dc536d985/
Parent samples :
8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a
71cf991b9060d1fcefd467162ecfe99c89c47da31d29489e299f7bec73d56a83
dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
9092a8499f245641da71311b2f4dcafac1b61c30f1f5d5808fed38f5125cbc57
4cdb484aff91fc4c74a8f2750296212dd12af808fee3e01bf9b8d0feafbd8fc1
c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
92cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
1dfdb77409e4402860f9a644890b904f68d377cc5f9320828aa320b7e835e207
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
84e9426e79655328d7e51384cd16697772d5fa8043ef793e4777ec7e3c38c6d0
778fb400067e1de625dfa7e62e7091cc28e75fc44673562dc193f4b486fdcef0
a84d4b61bab51a5eaf7d9b1a96ab450a5057ddbebb4a38617755b6286d19e9a1
83f6940a0fadd38a9a73e859f46173631822ee985037994c6c55b328721d76bf
70d04c9ec5f8c5f8a5c1cd82ad19eee2ddd26145848bc2ffe90d1b51645cac2e
f31ca1220140f0489ddef71cf10ef3636537422acaefd6dd8d9199a942feb128
e98006424a36e34271488f8a584b535b0bdf1650d2da228ec4c2a94e24ca20bb
a2948f7e3c13f7c9a54e44a6bd601ca6b8a3c2d97b7c8d6b28d1475f0caf81b8
80bee5948290fe93aa9aba9789c364c3e71f4d9039ec68a56dc05a4af7b0a502
ad2910f066744846d0233c9eb6643a71fe1643e5a107646b95c88608cddf1ed8
fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
dbb93c60e5e74632af64452fe9ec5acd788140d0eb3231655a47203e86ef6b55
feb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11
cab5f50e805b3a36e0ea6cf84c40b4b90e372fcd2f3f1024664af5440282d496
SH256 hash:
c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
MD5 hash:
3e9eee8807a79ad0134c1a6402927ffa
SHA1 hash:
c89df349f144a0cce0dce3a47efc5a9e37b46d56
Link:
https://www.unpac.me/results/263535de-f9bb-4495-b77b-742dc536d985/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/219175/

Comments