MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d040f18bcf1d59a6372cdd74ec22ba8908ca7c6e7c5a01e80053433277e16d1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	d040f18bcf1d59a6372cdd74ec22ba8908ca7c6e7c5a01e80053433277e16d1d
SHA3-384 hash:	4d21d77cb650848415e7d13c1a02963a6a621abbfbb563bb1813c6ec434c6b1be761b2845cb35c9e5aba9b17ae93ccfd
SHA1 hash:	8f4c98213c98445fdedebd5227455c9e4122ee3d
MD5 hash:	e8aad64db5f688d6ac4d7daa7dc9eba2
humanhash:	sink-freddie-carbon-shade
File name:	mam.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	526'336 bytes
First seen:	2021-06-09 13:32:59 UTC
Last seen:	2021-06-09 14:51:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c5061f564a0283b1f0fcad4d9984534d (2 x Formbook)
ssdeep	6144:yyNiVY4SJ/Wfg821yAqoGXrLz5ZvOoNFRQJ12MeIan8hB7OJzIma5hl8b:yyNiVYvKgTsAQFR9MeIaQB7OJEtlW
Threatray	5'105 similar samples on MalwareBazaar
TLSH	15B402A371A1C8BEE85901FF0D51B6525DEFFA20876C51DB3F64A35E9B605C0CB2A306
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/165625/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.14105.26445.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/799549

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d040f18bcf1d59a6372cdd74ec22ba8908ca7c6e7c5a01e80053433277e16d1d/

Threat name:

Win32.Packed.Bulz

Status:

Malicious

First seen:

2021-06-09 13:32:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 29 (48.28%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2bapdc6pdvm2mnzm3v2oyiv2reemu7doprnad2aaknbte57bnuoq._file

Verdict:

malicious

Label(s):

formbook

Formbook

50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085

Formbook

744400d590042d779a25401879f9906b979e32bba3fac355a0ff2d5a00f4fcfc

Formbook

ad2a5569cb14f86fe191f54f6fecb7bf1fe389418858f5fc72e6367c9780a9f0

Formbook

af2f2ca290589cc5582a0da252931b616dc62a88f53a9f9e00e9663b3ea2548a

Formbook

c2336a135878814b7b9b82146879a4ee8910e0a7e540415cb3716e1f62c1ea41

Formbook

c7b835a38f13c18350ba953a8f57f8c90a237804c377ba32d6fd212daa08e98c

Formbook

cccbd0b2d46adeb6d99413af4d5a4492cd530922a09724f04c8fb1e0c47d8326

Formbook

e47fa9824fd9f5f8e8b42fb02f53cfbf57b7c784d54c9e76ed247a9d297835cf

Formbook

e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267

Formbook

+ 5'095 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210609-cw1z6gfsfn/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.passportpatking.com/ffmi/

Unpacked files

SH256 hash:

437040ea2efa992294dab23f0ad297104dcca44a9898074b24a7c163214fd27a

MD5 hash:

4bce1aa14bf7189a3626ce2043134524

SHA1 hash:

8c118e2fda4b8c7db03fddc3ee9e8bcc7804da28

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/bc302c3e-c50d-4d90-b04f-db2c3ab95f06/

SH256 hash:

d040f18bcf1d59a6372cdd74ec22ba8908ca7c6e7c5a01e80053433277e16d1d

MD5 hash:

e8aad64db5f688d6ac4d7daa7dc9eba2

SHA1 hash:

8f4c98213c98445fdedebd5227455c9e4122ee3d

Link:

https://www.unpac.me/results/bc302c3e-c50d-4d90-b04f-db2c3ab95f06/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d040f18bcf1d59a6372cdd74ec22ba8908ca7c6e7c5a01e80053433277e16d1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/165625/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample