MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6
SHA3-384 hash:	f1455edca85ab245cc08bf20402b661d2153de4f57e858d216dcd609b558e8de40a964c09f26f4141ca66902db188004
SHA1 hash:	b29ba7c24d595ab6561c6437943270c7705fd466
MD5 hash:	b12de0bde0e62950be3ea3905097c670
humanhash:	wyoming-ink-bravo-connecticut
File name:	NEW ORDER FROM CANADA.scr
Download:	download sample
Signature	Formbook Create hunting rule
File size:	724'480 bytes
First seen:	2022-04-12 14:14:12 UTC
Last seen:	2022-04-12 14:56:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:vFxzLrRuYLD4qfgvrt/FnCkwa5FQDySg05akpYg6:P9L0qIhFCkPbtSg+h
Threatray	14'881 similar samples on MalwareBazaar
TLSH	T128F4BF15FAB6C912E2E5173BC0E7080403F4AA47D936E72F3791A2A51D133EB5E4639B
File icon (PE):
dhash icon	73432b4d556d597d (15 x SnakeKeylogger, 14 x AgentTesla, 12 x Formbook)
Reporter	GovCERT_CH
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

NEW ORDER FROM CANADA.scr

Verdict:

Malicious activity

Analysis date:

2022-04-13 01:31:06 UTC

Tags:

formbook trojan stealer

Link:

https://app.any.run/tasks/73998276-b99b-4c1e-8461-e6320d91a57e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/263138/

Detection(s):

SecuriteInfo.com.Trojan.MSIL.Noon.lc.20359.31351.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe expand.exe obfuscated packed

Link:

https://www.filescan.io/uploads/62558969eab80a7a6c011216/reports/b411edaa-e062-4ebf-a556-49d7a45e98cb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1802431c-be87-4664-9e40-3c889ff73d23

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/975437

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2022-04-12 14:15:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 25 (56.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3qqjyymay3ghcva45wylgekjtmyik6zfupqz6lhnmbz3kp7flpta._file

Verdict:

malicious

Label(s):

formbook

Formbook

52a948983c37f9056c1c2701179cb3698eb8c077faacd622ba26aef8055388ed

Formbook

76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6

Formbook

b0f1a1bfefa0359f8ef181219a761192e70a2d8ec0dd07692ffe24814f50c11d

Formbook

bce2bc3a55dfecfd388b134663893b70c3830b20a8afa395e36a28097e305943

Formbook

dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a

Formbook

e51d07f5a5a73b65e0ddd7f2b94fa87a3fede71fbb4e4b35c57b9fc56dd198ee

Formbook

f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4

Formbook

+ 14'871 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:s16r rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/220412-rkj1xacdbm/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Unpacked files

SH256 hash:

dba88743bd48da8979345d7fb414a23e693ea124f9bad75c18c9496fbbf4942c

MD5 hash:

06ee9717e415654f0daf2ac073e175a5

SHA1 hash:

774f649c6aaa48fb6a1a676902b821bc16a09601

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/375599f5-30a7-462e-ab74-b73368da1381/

Parent samples :

24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244
f2d58fc68302fb9cfc6ba93ca4f01f17c8baf7fef4cdfef59638e61fa4f54ad4
dcec29b67b720887c02915f7eb210942445a64e450f03bf12ca03ed345bc300a
76c2944d78f0dac034e5a7cc6a916c30e66a88aaaaf3481b9af71db7bcdf9ca6
e6d85a6287cb583fc5dec0b47a3288d9d0bed8e103991797b14a0e16ab41a9b4
4c5d57b063eeb8b59a0d22007e4698b75e7f16d2144636fd0610661a733b5b1b
668deaef1d8c72ce98a734831d2fa70a27e85948c497d5f980c7d8236416fc52
6cc892ee85c0247a54d6329b73857fac9d20b9b76d6b4d360fe5c752a0983180
710cf8f0a914a5baf6d61323ec2f33babc05c1374f4ae3fa8a2b04099c8f1b7f
e51d07f5a5a73b65e0ddd7f2b94fa87a3fede71fbb4e4b35c57b9fc56dd198ee
f71ffb7f3aa8f472021605310da900b36925efcf3f2965b6e541f0aaab4eb1c3
7b019b56698280d4c945147470334d6a5dea23d758713028d21bcfe34d4f0123
504c2a875f8a0f0b9cf47d70aa3f32defa0e3b66f403fe6eccba4f89b7cc379f
dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6
29a4e548415db316b3e1eea470848a8f339d93afa5bb47cbb357b42a95d5e350

SH256 hash:

b4364bba1d1c0f9cd4f07899b646ab90c1fcee31a985cea8377960da1692903a

MD5 hash:

42d633e43e81a4b3b1e7c3e61a2bbcb4

SHA1 hash:

9e459eedfcd7d56b3917372066a55279e35a60fc

Link:

https://www.unpac.me/results/375599f5-30a7-462e-ab74-b73368da1381/

SH256 hash:

894004ab6e982774d5da50b7d277bdbaff05ee4c43456c1af7c37e83fc6b3ace

MD5 hash:

831f3f9a2c3184828fcca08b0199c878

SHA1 hash:

6aa11d0f68fe54ae5e6a8d82cd430446705694c8

Link:

https://www.unpac.me/results/375599f5-30a7-462e-ab74-b73368da1381/

SH256 hash:

78b42403bd39846a7066f27f6d7c355fd6ae2db1f37486bc0bcac61f3176b839

MD5 hash:

fe84780e813f1a3e2e4dfd9f9a8d7976

SHA1 hash:

02165ea3e76579bc283faaac5b48bf82dc8723ae

Link:

https://www.unpac.me/results/375599f5-30a7-462e-ab74-b73368da1381/

SH256 hash:

dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6

MD5 hash:

b12de0bde0e62950be3ea3905097c670

SHA1 hash:

b29ba7c24d595ab6561c6437943270c7705fd466

Link:

https://www.unpac.me/results/375599f5-30a7-462e-ab74-b73368da1381/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dc209c6180c6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_Formbook_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe dc209c6180c6cc71541cedb0b311499b30857b25a3e19f2ced6073b53fe55be6

(this sample)

Dropped by

formbook

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/263138/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample