MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9b3c7ce6446a64df017cf3301ab24a7993b1336befdec8bab77332fe783e4d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	c9b3c7ce6446a64df017cf3301ab24a7993b1336befdec8bab77332fe783e4d4
SHA3-384 hash:	d33099f1600f0f659fe456a75a15cc2431b3996af5c7b94539e23dc8bcfddad79dbd6b953adb71cd7c941c886b0e1bb5
SHA1 hash:	c94098bcbf03566719c07e204cdfb81c2155ea78
MD5 hash:	f828a1f09517898f9de68b4756e0ca9b
humanhash:	robert-delta-oklahoma-mountain
File name:	Doc-Quotation.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	471'040 bytes
First seen:	2020-10-26 14:53:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:VlzdTZ4rjNxG/i/OfFGr6ELqt0MPYHBlvaXQuW8MOPMfiqH:VV/4rjvGiO9C6E2t0jHBl+QuWLVi
Threatray	3'026 similar samples on MalwareBazaar
TLSH	3DA4C0B13D92587ECA6B077515B985C0FABA26C73FA08B0D715F430C0E15A6BEB5324B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: forhrprofessionals.info
Sending IP: 117.50.15.121
From: Antoinette Nikoletta <sales@forhrprofessionals.info>
Subject: RE: Germany || Quote our Different Designs
Attachment: Doc-Quotation.rar (contains "Doc-Quotation.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/79238/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/512144

Signature

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c9b3c7ce6446a64df017cf3301ab24a7993b1336befdec8bab77332fe783e4d4/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-10-26 14:55:11 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zgz4pttei2te34axz4zqdkzeu6mtwezwx366zc5lo4zs7z4d4tka._file

Verdict:

malicious

Label(s):

formbook

Formbook

333a258f45e7a8baaab72b1539859a00bca7309a8d641490329184977090b540

Formbook

6841a00603c067163259e142990659c0217ded69e2895d187fa65f9439034c7f

Formbook

74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf

Formbook

7a990daaeb236dac7f6245626e92a4624c798b89e96d573abfd78d2b546af659

Formbook

82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e

Formbook

bfae046475f1458c460cf4eed534a48c8e769fbfc622138170c3945a4ad61a90

Formbook

ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320

Formbook

e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3

Formbook

ef4c04da2b5fe6ce33597d1dbe44a8b84b156cb1bd03b3a3f8d8c9dabede075b

Formbook

+ 3'016 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201026-wp6mg3jaqa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Deletes itself

Loads dropped DLL

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.elchef.club/ee5/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator