MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
SHA3-384 hash:	09217492cf21b1485cf4c675756a1d38cf038592c46e0f5b438ce3227667d513179a407510c61f9ffc0e043038010a2c
SHA1 hash:	3e92cca40b5b3bde11265ea773e77e0cd2432f96
MD5 hash:	32414d4cae15c3a8063bf1251346533c
humanhash:	lima-johnny-berlin-pasta
File name:	FedEx TRACKING DETAILS.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	697'856 bytes
First seen:	2021-12-02 16:25:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bbc9c0e1dd018627fbe5726a5fc2ba6c (4 x Formbook, 1 x AveMariaRAT)
ssdeep	12288:CIEpAb3iVUYfqUe+L7JMlbv7fkgx8BcFcePyaW:CI8G3DYfq9+hMNTMK8Cbm
Threatray	9'748 similar samples on MalwareBazaar
TLSH	T1C9E46D62BAD09D72D9675A75CC07BDD978373E252E80794D75E8B8CC0A383433A1B983
File icon (PE):
dhash icon	b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe FedEx FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FedEx TRACKING DETAILS.exe

Verdict:

Suspicious activity

Analysis date:

2021-12-02 16:47:57 UTC

Tags:

installer

Link:

https://app.any.run/tasks/e78425f5-124f-446e-9b88-7feedeab2b0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/210808/

Detection(s):

SecuriteInfo.com.Trojan.Win32.BestaFera.7c.7325.4767.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

0/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/570/overview

Behaviour

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

keylogger

Link:

https://www.filescan.io/uploads/61a8f39b707a51cfe28b860e/reports/ced1168d-a1db-451c-be24-6db51639ad8b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/69180c06-14a0-4e60-b539-c07361c711a2

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/900381

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2021-12-02 09:43:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=222ppouzwsjotmryfni7nre3glugzsa3p7dmsmyt6wlc3zfzcc6q._file

Verdict:

malicious

Label(s):

formbook

Formbook

48667ddc42d9eadc23dddc65f60f0de6e58afb6857953f282f7b02c115e9eed4

Formbook

4b376277cce9c1e365afb51b78046354176a443b45bb6bc123a3ea69710c6c65

Formbook

d87618f7840361408c1bd318a1977714dedc8b346684986842e0f32cdc94f758

Formbook

e22a659b73048b31aba79fce8de22ddd5a287494b763fec8d5779869dfebbf31

Formbook

ecc6439ff97e4b77f3af320e4c224f712478610fd28a1b6e6a03573c4b90f405

Formbook

fc74263d205e74a9afbb38b28b54576d528099a90877c2cb495715f4fbb96009

Formbook

+ 9'738 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:a34b rat spyware stealer trojan

Link:

https://tria.ge/reports/211202-txhdysdec8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.hdetpnipa.xyz/a34b/

Unpacked files

SH256 hash:

68ae5ffe5ad2069a531d80461d6f5ad6c210d0a19075a193894b95392827bec3

MD5 hash:

2cdfa8240841b03c9e440fbecf1ab6a8

SHA1 hash:

5f11ffeb002745eab78b1432e49adf6caf76286a

Detections:

win_temple_loader_w0

Link:

https://www.unpac.me/results/e146a3b7-b4ba-4bf7-a0dc-83d1411ed0be/

Parent samples :

6072185720cbcf2add1e2ada668484a4d55c601fcb2840ca6b7fbf9dfacdefb8
7ef8b67819945bc8f480ca064b5e3f5a330b6744d47d24b5d1c0214ca65724a3
d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd
7195589ba87f4b77bc10af665070180cf807ff7d2f8198743248edda2e85b6a5
b8aa3a9c721eae2745f1671b70869a8e3fe847a16e769d69c40727857ba54b44
897d218b958ece913adb5670a36e54f96f7d5279174c21f11cef92e31876a772
1a77fe43c21c77b47c1ea009c8a7c082eb11abcfb48ff4375cce7edc0925e9c6
a6a14f198c4aecd3c93a2e2dbecefb7f56643c231fc6eb685c5006eb825c591d

SH256 hash:

d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd

MD5 hash:

32414d4cae15c3a8063bf1251346533c

SHA1 hash:

3e92cca40b5b3bde11265ea773e77e0cd2432f96

Link:

https://www.unpac.me/results/e146a3b7-b4ba-4bf7-a0dc-83d1411ed0be/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d6b4f7ba99b4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/d6b4f7ba99b492e9b2382b51f6c49b32e86cc81b7fc6c93313f5962de4b910bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/210808/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample