MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f
SHA3-384 hash: e32f745d3fa845233e483b85410c44174f5cb4c226e95a123560b8df97a21aa4c5373756a1ed5cceee6557d16be656b6
SHA1 hash: 1c6a411db270b708db482a0b9d8284d1d73a23d5
MD5 hash: a1282356e8bcd31952e2c1a1dd4a3253
humanhash: music-ink-echo-ack
File name:Courtfiles Document,PDF .exe
Download: download sample
Signature Formbook
Create hunting rule
File size:606'720 bytes
First seen:2022-06-30 08:27:46 UTC
Last seen:2022-06-30 14:05:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:QWJu6w5UTyOgdz7ZTSlAdqauu2iNLQ5UKWE03cAHZuzPw3ZLygd/1QQ:Lkuu1FCUKWEwfZurEZLJ
TLSH T1A9D49D9C3A2C31EEC957C5728E985CB4EA6224BF671B5113D12329DE9E0CB47DF604B2
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
You have Notice to Appear in Court
Verdict:
Malicious activity
Analysis date:
2022-07-01 04:43:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/95c5fd29-9353-4512-9d66-c22b15b6a45d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284527/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Searching for synchronization primitives
Unauthorized injection to a system process
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3acdfbb7-15bf-4777-b39c-c04adb198d0b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022435
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2022-06-30 04:54:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmx6dhhygdeq4fqzx4ysqpkkxnukyuhcb2yis6ery3hcvnv2qa7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:jr04 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220630-kczytsbde6/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
256d761b54d3e6f4ff15499cd707a4bd02c92710e85eb9e8fc3ae387e6e2704f
MD5 hash:
85855cd278c43f55ae386f92e584fc6f
SHA1 hash:
ca00ac6fd54bf7e5a1710981e9857451abc8b617
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Link:
https://www.unpac.me/results/be44a01e-83ac-41be-91fc-c48260c9c19d/
Parent samples :
cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f
15dcdfbd4c4fa20ce82cff55159ae0276c9cce9f487a340681f77234f0d64a3b
941b5d0273cb5958fd40a02b5251393140f8b72725e29cc1889bcf66cd3d0c54
03674981113e278ddd535c0c2f1be91ab6f65533a3cd69efd7a0e5ff9eb1957d
18061c8a31f3728962bed4acb1806d2c87cfcefe616e4003fe8c9569e6877a8b
dba99585218765f78dddf353fa0bc8cda522649bb25e13d71dfcd316e5d7c3f1
SH256 hash:
94b3673925761e56f4b5a21d89e63d3a4a84784a4bb84ba7ff4c67277c065317
MD5 hash:
f139ce37ef804fb239bb7cf3046bc304
SHA1 hash:
b1192285c9fbf64255d6b31fb984b8cb30a112e1
Link:
https://www.unpac.me/results/be44a01e-83ac-41be-91fc-c48260c9c19d/
SH256 hash:
7de2219239da866a21fb430a88eb350d2cdf06915c3d72f4ac61e800505cd2a1
MD5 hash:
5821f140241c682ec01212153ffca094
SHA1 hash:
f60735bb30b07d7d7642bc2623ed6c8d2ec94681
Link:
https://www.unpac.me/results/be44a01e-83ac-41be-91fc-c48260c9c19d/
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/be44a01e-83ac-41be-91fc-c48260c9c19d/
SH256 hash:
cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f
MD5 hash:
a1282356e8bcd31952e2c1a1dd4a3253
SHA1 hash:
1c6a411db270b708db482a0b9d8284d1d73a23d5
Link:
https://www.unpac.me/results/be44a01e-83ac-41be-91fc-c48260c9c19d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb2fe19cf830/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 546dbacd63c79d5890deba37125514462b6b287a590f72e878d9345ee267ad9c

Formbook

Executable exe cb2fe19cf830c90e1619bf31283d4abb68ac50e20eb0897891c6ce2ab6ba803f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 546dbacd63c79d5890deba37125514462b6b287a590f72e878d9345ee267ad9c
Cape
Cape
https://www.capesandbox.com/analysis/284527/
  
Dropped by
MD5 210b951f1ce4a0474df6401de4051a6b

Comments