MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320
SHA3-384 hash:	d0cf18e66e4b9152f17fa8861bb9b786eece239db4c95a051a2cebc7882afee0bba0d82525bc9717c2c3ec4521ff6e65
SHA1 hash:	103a4fd60b635f7ddea446bf544b66e62f4d26d4
MD5 hash:	66a6eb2b02f79c17ddb71f6ce5247086
humanhash:	bulldog-oscar-queen-bluebird
File name:	Quotation.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	514'048 bytes
First seen:	2020-10-19 06:31:44 UTC
Last seen:	2020-10-19 08:24:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:l9EJ9wt2L2C1Iz0i1h4L9jkUTEnHi4nhxp+sGPJEa:l4YC1Iz0ikBkUyC4vaE
Threatray	2'783 similar samples on MalwareBazaar
TLSH	44B4CFB17D92596EC56E07714069C4E1FAB61EC73F908B0D71DA4B0F3E01A2BAB1325B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: ledtech.com.cn
Sending IP: 156.96.60.139
From: ann.wu@ledtech.com.cn
Subject: RE:RE:RE:Feedback With Clarifications, Pictures, Techinical drawings
Attachment: Feedback With Clarifications, Pictures, Techinical drawings.rar (contains "Quotation.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/72733/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.48175.12912.3247.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Creating a process from a recently created file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a recently created process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/494916

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-10-18 23:35:48 UTC

AV detection:

25 of 27 (92.59%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zt7pxq2gsm3pe5dyonnvz5cfmevbfbrbwsjknknvu2rdli754mqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645

Formbook

767fc756f86db0b4de57b4ec14964f24af0e47eb23ba7fa1df6378bcf9986947

Formbook

805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb

Formbook

8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda

Formbook

9abd8b37403ea5e7b381e0644acc6655dc01efc4be1edf69992c5a68c33eff1f

Formbook

bdad93534a202f7d3c2f102dc39093fa12a32f5de82c76a5fb41a94e1748d99e

Formbook

d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2

Formbook

d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879

Formbook

e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34

Formbook

+ 2'773 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201019-ej1ck5qwej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

ServiceHost packer

Formbook

Malware Config

C2 Extraction:

http://www.obluedotpanowdshop.com/pe3/

Unpacked files

SH256 hash:

ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320

MD5 hash:

66a6eb2b02f79c17ddb71f6ce5247086

SHA1 hash:

103a4fd60b635f7ddea446bf544b66e62f4d26d4

Link:

https://www.unpac.me/results/9a4f030b-c624-4dea-87ad-0b7aa9dd36b4/

SH256 hash:

030ebcfb58acd7ce1092bb21946ce0c2b240a9618e3f37d4b28651e28027c90e

MD5 hash:

0841d9e0eefb09e3a00d7a8951d34820

SHA1 hash:

b53c29a31ce122ab6806de9dbea82d741d70de48

Link:

https://www.unpac.me/results/9a4f030b-c624-4dea-87ad-0b7aa9dd36b4/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/9a4f030b-c624-4dea-87ad-0b7aa9dd36b4/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/9a4f030b-c624-4dea-87ad-0b7aa9dd36b4/

SH256 hash:

30351057c5f68d7e5111885e43ea9c87dd0f1944fe717798bf4e1c03f5b08a36

MD5 hash:

8c09ce5bd7f6be2280ba37a21610b049

SHA1 hash:

79509bb45f36fe2fc9f41eee81eb0b2b80cbb4a1

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9a4f030b-c624-4dea-87ad-0b7aa9dd36b4/

Parent samples :

6841a00603c067163259e142990659c0217ded69e2895d187fa65f9439034c7f
5c7caeaf0c86c08faf159068defe03b8188436f94540935cb356b7a63ed59f38
ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320
3f98571de88f8e13c4197c46d74287d2f0aef827a196ea51cb4b934c6857e04b
ed3d326f9c93f11a017b07494a12af448c1469f35c44da1817fcf464deed0519
444d02a09ab12106454e4acb80e1538ecc92b3f46fe04df50c4836111170e843
2e3a95c69cdae21d74523dd1203bd87cc7658c7a2458e2c04838832f43dc7edd
5f262b46973d73ecd92a2bab92298f072f5dd3607e6928eaef2293268ad97359
7e1c226947b8b89424cd0549d1709f7f5b7d8892f7ced1718eacb8ab5204c1a4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ccfefbc3469336f27478735b5cf445612a128621b492a6a9b5a6a235a3fde320

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator