MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
SHA3-384 hash: b000cf7a2708dc942ee4e04dec00c5656fdf0452e04ccb13a179d05b9929bf4fec9e73b48e43f4ab89981218b33d1190
SHA1 hash: 05bb69bb01e6aeb6b92bf09ad6ce194b4f2e748c
MD5 hash: 8306a90a10e3fc42341768b333d3a957
humanhash: iowa-high-apart-speaker
File name:KOC.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:831'488 bytes
First seen:2021-09-20 09:57:11 UTC
Last seen:2021-10-04 13:10:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:65MTdFUoSsmtiK5oyZ3+cGwkUp/0fciw99blihfJGJVR53squN:F1+FovcKLgbl2G1aLN
Threatray 9'397 similar samples on MalwareBazaar
TLSH T14C05ADC17D47D89BF4DF2AB3986FC12011656E9D9161C73D2682BA2B59F3302309BE4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter pr0xylife
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
5
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KOC.bat
Verdict:
Malicious activity
Analysis date:
2021-09-20 09:58:40 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/a6395992-47bc-4c83-915c-0e043f01fdd9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189380/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.24693.11635.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b71ef44-b1d5-4af2-8e89-3eab3ee35df8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853908
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486341 Sample: KOC.bat Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 37 www.trendinggk.com 2->37 39 ic-54113400-0a7b2f-windowsupdate48.s.loris.llnwd.net 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 8 other signatures 2->53 11 KOC.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\tmpB857.tmp, XML 11->33 dropped 35 C:\Users\user\AppData\...\jAYDwUGqvmPQSR.exe, PE32 11->35 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 11->65 67 Tries to detect virtualization through RDTSC time measurements 11->67 69 Injects a PE file into a foreign processes 11->69 15 KOC.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 41 www.visionandcourage.com 20->41 43 www.dyvikapeel.com 20->43 45 5 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 26 rundll32.exe 20->26         started        signatures11 process12 signatures13 57 Self deletion via cmd delete 26->57 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 08:54:08 UTC
AV detection:
3 of 45 (6.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2opmf637ub53ncdbonlreywsgjgznnxiphgmj4wourxm4gb6k5va._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4f9d8536fa4475655dd14db7d472399f2b7214ddb16d3483f9a2a673e4fc1543
Formbook
82de7428f30e703ae55105807dd3c3c19e2f8a377e7a5c2b925537a182d3a886
Formbook
85c528083c96b1f895ddd73681a8b78caf639b8dcf91eca47ae4e7e7cd3e3540
Formbook
8898f85efa9e25992b6e00da2b7d3338649ebf89d26a92b9bf156618960f5466
Formbook
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Formbook
96d01352b8291a658a602d403e2133d469945ab385d9746db535aba474fc04d0
Formbook
9c1d6191badf084113871feba0049fac8a2bb5761136877383579cdcf7cd781a
Formbook
a3703cc485d2a99cfec122203ed2d7dd83274af8bd0b3bcfab3fd590dd5c308c
Formbook
e3ccade6f4b9accc6cffa813b88862d68f78f0f1c601a57d0573e60deea6a370
Formbook
e8be28fabd7cdb2d4e96137dae73bd9b227a86b654c696e9fd401cb37ec68267
Formbook
+ 9'387 additional samples on MalwareBazaar
Result
Malware family:
mimikatz
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:mimikatz campaign:if60 rat spyware stealer trojan
Link:
https://tria.ge/reports/210920-lzhhqsdeh9/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
mimikatz is an open source tool to dump credentials on Windows
Formbook
Mimikatz
Malware Config
C2 Extraction:
http://www.handelsbetriebposavec.com/if60/
Unpacked files
SH256 hash:
ade224c5af46b5e0b4a3650a5544b20e9dad7e6fa5aeeac0037e05d83fdcb177
MD5 hash:
42ae73cdadc87e07cc5e94668c52eb8e
SHA1 hash:
d1882744abbca9ac468f23867a264a5a2a49743f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4240b1f2-44c0-4713-b1ac-8e089423fd23/
Parent samples :
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
7162b4c9de1772aa721d26d185fd1b7e32a9de5c6ebfd86cab3ef0ed7561a837
99b495e7c6df7f7bf887cd2d7f143e4103dfaf57990a0712bac7d33a2c6d6f0c
49d82a6b19fe35893b419696bace48db225826ccfa73da61ca22f59f7f045406
1758a9b18032ce82f4e95249413ee1a8cbade1ef2cb773bc958502801f3af738
581490b0a14adee57f1862645ccf257d1db7720d31ba7a8b58756f1a11672223
680993e1220c8d918f192ae23c5c01b6357c58ad68b7cc59fa122c09b7b85cdd
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/4240b1f2-44c0-4713-b1ac-8e089423fd23/
SH256 hash:
eb7556498fc215e9f9e1ff4cca4d84dec52473e92ddb78f9c103ea28418e396a
MD5 hash:
a3df35af3e78d98a3773cdfe672a43f8
SHA1 hash:
8aeca8171500c0ad42b69ecb1de6998bd0c727a2
Link:
https://www.unpac.me/results/4240b1f2-44c0-4713-b1ac-8e089423fd23/
SH256 hash:
d2ffcdab24f555d2bd15200cbeb95360c9389a6cf4a36fefb20388d8fb4c5d12
MD5 hash:
759dfe2148ecdf6538895c7914bf03b0
SHA1 hash:
37f83e550505118d835d0c8f173144b574b7476a
Link:
https://www.unpac.me/results/4240b1f2-44c0-4713-b1ac-8e089423fd23/
SH256 hash:
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
MD5 hash:
8306a90a10e3fc42341768b333d3a957
SHA1 hash:
05bb69bb01e6aeb6b92bf09ad6ce194b4f2e748c
Link:
https://www.unpac.me/results/4240b1f2-44c0-4713-b1ac-8e089423fd23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189380/

Comments