MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1324ad6746ac4d0022a3501ea81785bb78304512b4041ac0eb1f3dc19a68769. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1324ad6746ac4d0022a3501ea81785bb78304512b4041ac0eb1f3dc19a68769
SHA3-384 hash: 3e58079e9a0eabe83db0158df457e434803eedf4ad98e4ab831c7342c8febe8761e3c1a57f2a3b5350013df614ee1790
SHA1 hash: 92a6553ae2295adc7ac5861f61817e7f36959120
MD5 hash: ed1690f3a3da74f266cac843187bf6c2
humanhash: lake-glucose-uniform-september
File name:doh.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'476'608 bytes
First seen:2022-04-15 04:18:07 UTC
Last seen:2022-04-20 10:23:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'741 x Formbook, 12'286 x SnakeKeylogger)
ssdeep 24576:wz7CDHQM1ITPKXLTXuEnHK8lQkqq5a+c1G65bT3Fd:wz7AHQ9uPhSTqlST
Threatray 12'356 similar samples on MalwareBazaar
TLSH T1FD655B4D32824E16FD10E3B9E9B3AB453B28D675045D6B1273D4293EE41F3A6AF03792
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8e0e886c6eea480 (1 x Formbook, 1 x RemcosRAT)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
doh.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 04:19:15 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/d86f15d6-dbda-415e-ad23-14ccc8bb65d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/263893/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Unauthorized injection to a recently created process
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6258f237482f2f41cab2a0a5/reports/f4dfe73d-1496-4d80-bbdb-9ac89cc4b676/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f489290-8bd9-4a25-ab2a-51ea0f97a5a2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977258
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609745 Sample: doh.exe Startdate: 15/04/2022 Architecture: WINDOWS Score: 100 58 www.biocyberlaw.com 2->58 60 pltraffic35.com 2->60 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 4 other signatures 2->78 11 doh.exe 1 5 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\doh.exe, PE32 11->52 dropped 54 C:\Users\user\...\doh.exe:Zone.Identifier, ASCII 11->54 dropped 56 C:\Users\user\AppData\Local\...\doh.exe.log, ASCII 11->56 dropped 96 Tries to detect virtualization through RDTSC time measurements 11->96 98 Injects a PE file into a foreign processes 11->98 15 doh.exe 11->15         started        18 doh.exe 11->18         started        signatures6 process7 signatures8 100 Modifies the context of a thread in another process (thread injection) 15->100 102 Maps a DLL or memory area into another process 15->102 104 Sample uses process hollowing technique 15->104 106 Queues an APC in another process (thread injection) 15->106 20 explorer.exe 15->20 injected process9 dnsIp10 62 zcyq.life 160.153.136.3, 49796, 80 GODADDY-AMSDE United States 20->62 64 www.zcyq.life 20->64 80 System process connects to network (likely due to code injection or exploit) 20->80 24 doh.exe 2 20->24         started        27 doh.exe 2 20->27         started        29 WWAHost.exe 20->29         started        31 3 other processes 20->31 signatures11 process12 signatures13 82 Multi AV Scanner detection for dropped file 24->82 84 Machine Learning detection for dropped file 24->84 86 Tries to detect virtualization through RDTSC time measurements 24->86 33 doh.exe 24->33         started        36 doh.exe 24->36         started        38 doh.exe 24->38         started        88 Injects a PE file into a foreign processes 27->88 40 doh.exe 27->40         started        42 doh.exe 27->42         started        44 doh.exe 27->44         started        46 doh.exe 27->46         started        90 Self deletion via cmd delete 29->90 92 Modifies the context of a thread in another process (thread injection) 29->92 94 Maps a DLL or memory area into another process 29->94 48 cmd.exe 1 29->48         started        process14 signatures15 66 Modifies the context of a thread in another process (thread injection) 33->66 68 Maps a DLL or memory area into another process 33->68 70 Sample uses process hollowing technique 33->70 50 conhost.exe 48->50         started        process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1324ad6746ac4d0022a3501ea81785bb78304512b4041ac0eb1f3dc19a68769/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 03:37:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ezevvtunlcnaarkgua6valylo3ygbcrfnaedlaowhz5ygngq5uq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06d3dc4da506d3c92fd8b82b27d92dec4036fd9622727c6e31cc314ea18ca518
Formbook
0f26fc2304b6625ef379ab4b0725e57d814a4e87035b6d15215067f3f3321af0
Formbook
519a77b3e875886add3b2e84ac63cb9e9707381fce9d25d79616554d4c6c2287
Formbook
5fd22c8bf1e7e06ccaa6ebc23410086fe0e3bc30b1613cd6ee734f280c0d6979
Formbook
70690df30efa9d014efe9d9d64203dee1540a18d2b45d490cb0db005c9c7cf82
Formbook
9ae7a32e1f8d49f2d13f632a946043dfe347f3d71ca95c146f0f2e597b54c4d5
Formbook
a28ff821e1218af701aa2e5fde3e8a58a8133178514a4730805bed29dccfa029
Formbook
ac4f54c754e6522cc5d4348a6c138718700ec82097225cae5b46a1eeffdfd094
Formbook
d7fb7846545905a86a059da93c28f6f14a12b4ff9148b801f7238e75d75036c7
Formbook
dc398f97c7c248ee6e669cb910b617224c1da4eb8338a37fc4ed812784f83a24
Formbook
+ 12'346 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:b6nt persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220415-exhbmadchr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
4eb2f0b598b9126a87fed38b25910897442590440d982a7dbe4094149ff178f0
MD5 hash:
e350007324d7f085912475088889f365
SHA1 hash:
d896a175704f4d6a8e9c863480e99928f4b9dbea
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/efb624ee-bf54-48bb-97cd-7986601f2aef/
SH256 hash:
f26b2fb48d0578ad576a29aa1f5a6177a7c0672983479487e04180ea3a274abf
MD5 hash:
b194824e16a15499676555ba447836b1
SHA1 hash:
26d52937038ae53122a6fba65113d5fa47341630
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/efb624ee-bf54-48bb-97cd-7986601f2aef/
SH256 hash:
5f30ca273d95cd022b2122b7c59b92cf97bcb6df5d861919a974a99b192e28f3
MD5 hash:
3d1a6c9c9f4d74b985718b7100f4f253
SHA1 hash:
a6adda18d78263e5a019e2d6aad8297a2b17188b
Link:
https://www.unpac.me/results/efb624ee-bf54-48bb-97cd-7986601f2aef/
SH256 hash:
d1324ad6746ac4d0022a3501ea81785bb78304512b4041ac0eb1f3dc19a68769
MD5 hash:
ed1690f3a3da74f266cac843187bf6c2
SHA1 hash:
92a6553ae2295adc7ac5861f61817e7f36959120
Link:
https://www.unpac.me/results/efb624ee-bf54-48bb-97cd-7986601f2aef/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1324ad6746a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/d1324ad6746ac4d0022a3501ea81785bb78304512b4041ac0eb1f3dc19a68769

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:malware_Formbook_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d1324ad6746ac4d0022a3501ea81785bb78304512b4041ac0eb1f3dc19a68769

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263893/

Comments