MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
SHA3-384 hash: d6ae8f8faa217b17e1174ed5473e759a250fa0f3dd424e2b41269c408ed0d799188ace21540e89ee30a18447ad2233b5
SHA1 hash: 75f0c1f2706dc698cb070da96fecd9e0c3685115
MD5 hash: 900555691774af90720a251bdba10f31
humanhash: gee-seven-mars-florida
File name:CI-OMG200602.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'399'808 bytes
First seen:2020-11-23 16:44:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:rjpoG+f233iMlU0XO8U9+lIenv0AD8RbkOQof+aY+oWojF:nUz8U9TmvLCbpfV5Hq
Threatray 3'029 similar samples on MalwareBazaar
TLSH EC556CAE3A5072DFC857CD76D9681C28EB90B47B830BD647A05319ED9A0D99BCF140F2
Reporter Anonymous
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545373
Signature
Detected FormBook malware
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321780 Sample: CI-OMG200602.exe Startdate: 23/11/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 10 CI-OMG200602.exe 3 2->10         started        process3 file4 37 C:\Users\user\...\CI-OMG200602.exe.log, ASCII 10->37 dropped 65 Tries to detect virtualization through RDTSC time measurements 10->65 14 CI-OMG200602.exe 10->14         started        signatures5 process6 signatures7 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 Queues an APC in another process (thread injection) 14->73 17 explorer.exe 14->17 injected process8 dnsIp9 39 www.solidbusinessloans.com 154.216.241.66, 49738, 49739, 49740 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->39 41 mountainviewlist.com 34.102.136.180, 49730, 49731, 49732 GOOGLEUS United States 17->41 43 4 other IPs or domains 17->43 53 System process connects to network (likely due to code injection or exploit) 17->53 21 colorcpl.exe 18 17->21         started        signatures10 process11 file12 31 C:\Users\user\AppData\...\20Plogrv.ini, data 21->31 dropped 33 C:\Users\user\AppData\...\20Plogri.ini, data 21->33 dropped 55 Detected FormBook malware 21->55 57 Tries to steal Mail credentials (via file access) 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 61 3 other signatures 21->61 25 cmd.exe 2 21->25         started        signatures13 process14 file15 35 C:\Users\user\AppData\Local\Temp\DB1, SQLite 25->35 dropped 63 Tries to harvest and steal browser information (history, passwords, etc) 25->63 29 conhost.exe 25->29         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 15:15:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fujs52eqz53zzg2sbigwimc6tiblcm3zxp5hespenhhhg46pbta._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
formbook
Create hunting rule
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
FormBook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
FormBook
333a258f45e7a8baaab72b1539859a00bca7309a8d641490329184977090b540
FormBook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
FormBook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
FormBook
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
FormBook
8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382
FormBook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
FormBook
b1b8f6dcd1c8d12e5a79a8d16dd62d0900d552ba435178b691f4497d338cc704
FormBook
d97aa63a43e409e490adc5b21a08313841565a76215278c37bcb411828a0a822
FormBook
+ 3'019 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201123-h5b2kelkje/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ir4e.com/xbt/
Unpacked files
SH256 hash:
d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
MD5 hash:
900555691774af90720a251bdba10f31
SHA1 hash:
75f0c1f2706dc698cb070da96fecd9e0c3685115
Link:
https://www.unpac.me/results/211ea331-8714-48bf-a86a-02650c8e556c/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/211ea331-8714-48bf-a86a-02650c8e556c/
SH256 hash:
ba40aa23b566c39d350d48aea07964c6a5046dd68cded6ce3842137ec8563d46
MD5 hash:
dab51fb711d97efff3cca013aa2c2082
SHA1 hash:
4e91f0277abbd34263b9240416e1732523a23424
Link:
https://www.unpac.me/results/211ea331-8714-48bf-a86a-02650c8e556c/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/211ea331-8714-48bf-a86a-02650c8e556c/
SH256 hash:
f553494810ba3be8f062facde71b008a00690d13454c211472c7d5c414c50e28
MD5 hash:
c1a3391d8700f10e7a38042618172d55
SHA1 hash:
d94fb7b0c7b433e9d701f21c2cb156a429a148be
Link:
https://www.unpac.me/results/211ea331-8714-48bf-a86a-02650c8e556c/
SH256 hash:
7519e8bba5fd7a2516d9887fc5804594aeb55fcdc8a83a9f3c5a1fb9c14a23d3
MD5 hash:
de2dd76c672d2118d9182f4a504794f6
SHA1 hash:
2d045ed20e0308d351ff6c61e868cd30a3e75c30
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/211ea331-8714-48bf-a86a-02650c8e556c/
Parent samples :
d97aa63a43e409e490adc5b21a08313841565a76215278c37bcb411828a0a822
a76ab3f6348514a539866d7c10def9e37f83daaf7e4678177f5cfb4ab1d4c120
d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d168997744867bbce4da90506b2182f4d015899bcddfd3924f234e739b9e7866

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/105331/

Comments