MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd
SHA3-384 hash: 5a0d0142490548f626524e14b4acf016facc38d9c847afdeda7b82ee23a3996731baf40905f956426043060f49f8b3bf
SHA1 hash: b000331ab45544b34b140ad5b4eaf538770b719b
MD5 hash: 81be0a4da416ca67ffe1b16a34d05553
humanhash: fish-summer-north-golf
File name:toc4465321.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:340'814 bytes
First seen:2022-02-25 13:48:30 UTC
Last seen:2022-02-25 15:57:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:TxDCN/GVY/NyPKLJuS+qTliLxcgE4enHwAaRYRy71sAS9c:sO1wrTQDSHwXRGbc
Threatray 13'631 similar samples on MalwareBazaar
TLSH T1A174233582D14863DB9645B10E77EB3AF3B897592E3E622F03610F5791323875B2D32A
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244712/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.14820.11848.32143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
DNS request
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe nemesis overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6218de52b94fb38cb4062bd7/reports/3f82a25b-7bfc-4f3b-8582-0cd8360ef372/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c00b15fb-c13a-40de-a5d2-76bf524349c6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946376
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578857 Sample: toc4465321.exe Startdate: 25/02/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 4 other signatures 2->55 11 toc4465321.exe 18 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\unlnld.exe, PE32 11->33 dropped 14 unlnld.exe 11->14         started        process5 signatures6 65 Multi AV Scanner detection for dropped file 14->65 67 Tries to detect virtualization through RDTSC time measurements 14->67 17 unlnld.exe 14->17         started        process7 signatures8 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Sample uses process hollowing technique 17->45 47 Queues an APC in another process (thread injection) 17->47 20 explorer.exe 17->20 injected process9 dnsIp10 35 www.lc8md31.com 172.252.67.238, 49800, 80 EGIHOSTINGUS United States 20->35 37 www.thepropertyinspectorsllc.com 20->37 39 thepropertyinspectorsllc.com 34.102.136.180, 49826, 80 GOOGLEUS United States 20->39 57 System process connects to network (likely due to code injection or exploit) 20->57 24 cmmon32.exe 20->24         started        27 autochk.exe 20->27         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 29 cmd.exe 1 24->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-02-24 16:26:13 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5vjwrabbimsnqhyshg4vfu5onfbfc6ysgvevzcerwrumgdky3gq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
Formbook
3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6
Formbook
6d1ae3278059d592ae7c4426df9456553b8abfbc3bd90ce0f8d1792e94ae95c2
Formbook
8392408d685d10ddf024a7e4f47976e03a00fd787bd4ee0932766c4b9b278bc0
Formbook
945f67ae677681e14db036f753f47333556fea6f3837bef7399e440e6bc167d5
Formbook
99dfa5a36a438daadbbfd9c087e5a005287e5a2b25668ba57a7e78d34b1c3b0b
Formbook
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Formbook
da711e15e4cd8495ca3b7ab2cd3e964df07db80268f9f8594acf8073e96460e1
Formbook
ff3e94ded64b43f620ba549db99baa31abdd763209b60f7c9fc884b82cfac6d3
Formbook
+ 13'621 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:l22s rat spyware stealer trojan
Link:
https://tria.ge/reports/220225-q4nyjagce6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Unpacked files
SH256 hash:
3172fc9b1254b18aadba0d8a7a4ae6e6ae40572b90819009ed6bc2db974f6706
MD5 hash:
327ad4cb1405f0fcc2e029a87c753bc1
SHA1 hash:
bb47bdebf5e5cc0c895d6734c89a281c1aef2d4d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6096bc5a-36c3-4f69-9570-7fb665074328/
Parent samples :
da711e15e4cd8495ca3b7ab2cd3e964df07db80268f9f8594acf8073e96460e1
c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd
d1456e0362c877e86044b3c74f22734d2e0ea98233f51a04f683b8f86cb9b4fd
SH256 hash:
ea458c5330e559df624ae60d87b36c69c94ab78a8eac935296a068a69644367e
MD5 hash:
5aa2206f0d97c8da1e6be2061b4239a0
SHA1 hash:
f317423037f884eaca94e43a6206b28fb0db256f
Link:
https://www.unpac.me/results/6096bc5a-36c3-4f69-9570-7fb665074328/
SH256 hash:
c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd
MD5 hash:
81be0a4da416ca67ffe1b16a34d05553
SHA1 hash:
b000331ab45544b34b140ad5b4eaf538770b719b
Link:
https://www.unpac.me/results/6096bc5a-36c3-4f69-9570-7fb665074328/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c76a9b44010a1926c0f891cdca969d734a128bd891aa4ae4448da346186ac6cd

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/244712/

Comments