MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54
SHA3-384 hash: 92025e09ce25d2bb8f55e4a08a7973d263b9b220d1dde9d6daf24190af3ec22036ccaa8ff09e0e68aadb76d5143404ec
SHA1 hash: e5b49b4260cb1da2cb5b2d4ff507e38ba8925771
MD5 hash: 030ab1a282e8eb619f8e2edd1504e32e
humanhash: lactose-golf-michigan-oregon
File name:030ab1a282e8eb619f8e2edd1504e32e
Download: download sample
Signature Formbook
Create hunting rule
File size:1'319'424 bytes
First seen:2021-12-13 22:09:28 UTC
Last seen:2021-12-13 23:38:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:yyaiub3VIRRjFta1iLHlTAc/ClTR9pwyvUpRHa/YoZQdqqkUkYbQzyFVP0HxoypE:FM3Wja1ClTHCP9myv0takJkObQz49k/+
TLSH T1A955231A70A9D926C434A3B996E742D443F81D09B895EB097DCD63DBA0DA3D1CF042EF
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
030ab1a282e8eb619f8e2edd1504e32e
Verdict:
Malicious activity
Analysis date:
2021-12-13 22:11:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/957b86ed-bc70-4297-9660-4099f7ac9834

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/213780/
Detection(s):
PUA.Win.Packer.Medvedev-6482674-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61b7c4c247bb875c085b7baf/reports/29d465f6-22f9-45f1-b543-b52c272ad922/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a98be0f-b79b-4195-9a16-d5def1455ce0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/906760
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 539238 Sample: 55u442XOz6 Startdate: 13/12/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 6 other signatures 2->35 9 55u442XOz6.exe 3 2->9         started        process3 signatures4 37 Tries to detect virtualization through RDTSC time measurements 9->37 39 Injects a PE file into a foreign processes 9->39 12 55u442XOz6.exe 9->12         started        process5 signatures6 41 Modifies the context of a thread in another process (thread injection) 12->41 43 Maps a DLL or memory area into another process 12->43 45 Sample uses process hollowing technique 12->45 47 Queues an APC in another process (thread injection) 12->47 15 systray.exe 12->15         started        18 explorer.exe 12->18 injected process7 dnsIp8 49 Self deletion via cmd delete 15->49 51 Modifies the context of a thread in another process (thread injection) 15->51 53 Maps a DLL or memory area into another process 15->53 55 Tries to detect virtualization through RDTSC time measurements 15->55 21 cmd.exe 1 15->21         started        25 www.livheallthhyiwagat4.xyz 150.95.255.38, 49836, 80 INTERQGMOInternetIncJP Japan 18->25 27 www.powerfamilylaw.com 18->27 57 System process connects to network (likely due to code injection or exploit) 18->57 59 Performs DNS queries to domains with low reputation 18->59 signatures9 process10 process11 23 conhost.exe 21->23         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-12-13 22:10:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:9g6m rat spyware stealer trojan
Link:
https://tria.ge/reports/211213-13dfhsfeak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.solkitties.art/9g6m/
Unpacked files
SH256 hash:
b4cf5e9930af610200ee8e273d881ed8f30f269469a8bd0d25b9f0becbc1a218
MD5 hash:
6eef8161fe427a79728e24e6bb5ec877
SHA1 hash:
1cb8a2c12068475115561ffe298fbd1b0a578f84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/16122cd8-ca8e-4ab6-acb3-70d669eb1bfc/
Parent samples :
8590ed565f8e910b38ca91f89df8dc73bd6fec5eabb2b6964f70b4ad586f801e
baa6c0d95345936cfa15289e60aebd590fcea005d546d40e6e6933657508a277
2d69ba81e9f99d3c2b8998d98160bd087cb3f70203761a58255fbee3c7919a06
d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54
8f454860eb8461e6febf3a1977cc7a53733dd72960fec1a41d17ab4e03af6f0d
268f31549715ba5100a49d8b7dd4858118e864c44e153d40d6dec3cdbb223336
101477ca4a93dd39fc6c14ae5f278753bdd78a2eba5b30b63e8bcd2b9c49bab5
SH256 hash:
f8ee3ec61da05401295cfc650a604dc644a16a8d7afc9f090cd9f7a0d9300317
MD5 hash:
7e9f1e09d0aa634d949c26737c26ff3c
SHA1 hash:
cb6b35efc98d0656148907ce56268a964556664d
Link:
https://www.unpac.me/results/16122cd8-ca8e-4ab6-acb3-70d669eb1bfc/
SH256 hash:
ccc208e31f5e505f951adb2e4b8fb9d240cd91f9dd323a74baf70d45e5f3fc4f
MD5 hash:
73098c44996d88755205913a53ce8542
SHA1 hash:
c4f21415e644865a57188c8293e64ec74394389b
Link:
https://www.unpac.me/results/16122cd8-ca8e-4ab6-acb3-70d669eb1bfc/
SH256 hash:
d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54
MD5 hash:
030ab1a282e8eb619f8e2edd1504e32e
SHA1 hash:
e5b49b4260cb1da2cb5b2d4ff507e38ba8925771
Link:
https://www.unpac.me/results/16122cd8-ca8e-4ab6-acb3-70d669eb1bfc/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d88ceed41b73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe d88ceed41b733547f614837d8b9c3967aefa9a81b8afb869e35657288650ef54

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/213780/
  
URLhaus
https://urlhaus.abuse.ch/url/1881908/

Comments


Avatar
zbet commented on 2021-12-13 22:09:30 UTC

url : hxxp://198.46.199.153/60403/vbc.exe