MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
SHA3-384 hash: 3ce3eb4bab8c60cae8dfb1f0758bf1fb26aac05ec3b8ee943223c3e8bb7d42d0727ca7f8be9e60c24380f4e9a815b6d7
SHA1 hash: 01bbbbc3a4f304dbe65e5331f79baa0705f4fb7b
MD5 hash: 3e19b57f827e4d5df5e09cd5cc115249
humanhash: thirteen-london-hamper-double
File name:3e19b57f827e4d5df5e09cd5cc115249
Download: download sample
Signature Formbook
Create hunting rule
File size:815'616 bytes
First seen:2022-01-05 09:02:20 UTC
Last seen:2022-01-05 11:11:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3b6a2f72022738defeb0f4d2200e22a0 (1 x Formbook, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:PPnSCqHwtibQJ8OWxswCtnN+ziM96wDoMJaLrg8UujcfGBA+:PPnIQhxEswCtnNcJT8MZ83jlA
Threatray 192 similar samples on MalwareBazaar
TLSH T129058D22A3918877D2B316389C5B9694982EBE003D34FD477BF51E4C4F762A079392E7
File icon (PE):PE icon
dhash icon 63311c0e4f3bfeea (1 x Formbook, 1 x AveMariaRAT, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTE.xlsx
Verdict:
Malicious activity
Analysis date:
2022-01-05 08:26:38 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/0210df58-8788-4b1c-be39-2e7bd2cd983b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217405/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.11147.20182.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Searching for synchronization primitives
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/61d55eca92bdc4b4078000d5/reports/e012a6c6-b204-4dde-acdb-ccabd4791361/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95dc8138-96f4-4de5-a898-831f9d2c6878
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915721
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548198 Sample: 0BFJSiSdej Startdate: 05/01/2022 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected FormBook 2->60 62 Machine Learning detection for sample 2->62 10 0BFJSiSdej.exe 1 18 2->10         started        process3 dnsIp4 54 cdn.discordapp.com 162.159.129.233, 443, 49735, 49737 CLOUDFLARENETUS United States 10->54 44 C:\Users\user\Contacts\Krrajobzsg.exe, PE32 10->44 dropped 46 C:\Users\...\Krrajobzsg.exe:Zone.Identifier, ASCII 10->46 dropped 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Creates a thread in another existing process (thread injection) 10->88 90 Injects a PE file into a foreign processes 10->90 15 DpiScaling.exe 10->15         started        file5 signatures6 process7 signatures8 92 Modifies the context of a thread in another process (thread injection) 15->92 94 Maps a DLL or memory area into another process 15->94 96 Sample uses process hollowing technique 15->96 98 2 other signatures 15->98 18 explorer.exe 2 15->18 injected process9 signatures10 64 Uses netstat to query active network connections and open ports 18->64 21 Krrajobzsg.exe 13 18->21         started        25 Krrajobzsg.exe 15 18->25         started        27 NETSTAT.EXE 18->27         started        29 2 other processes 18->29 process11 dnsIp12 48 162.159.133.233, 443, 49762 CLOUDFLARENETUS United States 21->48 50 cdn.discordapp.com 21->50 66 Multi AV Scanner detection for dropped file 21->66 68 Machine Learning detection for dropped file 21->68 70 Writes to foreign memory regions 21->70 31 logagent.exe 21->31         started        52 cdn.discordapp.com 25->52 72 Allocates memory in foreign processes 25->72 74 Creates a thread in another existing process (thread injection) 25->74 76 Injects a PE file into a foreign processes 25->76 34 logagent.exe 25->34         started        78 Modifies the context of a thread in another process (thread injection) 27->78 80 Maps a DLL or memory area into another process 27->80 82 Tries to detect virtualization through RDTSC time measurements 27->82 36 cmd.exe 1 27->36         started        38 explorer.exe 1 131 27->38         started        40 explorer.exe 27->40         started        signatures13 process14 signatures15 100 Modifies the context of a thread in another process (thread injection) 31->100 102 Maps a DLL or memory area into another process 31->102 104 Sample uses process hollowing technique 31->104 106 Tries to detect virtualization through RDTSC time measurements 31->106 42 conhost.exe 36->42         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 09:03:13 UTC
File Type:
PE (Exe)
Extracted files:
71
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sgczkckprkgrt5xw27vsoloamz4rukf3qep2hx3x26z7iaifxlq._file
Verdict:
suspicious
Similar samples:
44e3a5d07ad41e0c1e023eeb97798f0822d706abb3406b61466d32a7d29c8726
Formbook
460834ec55aa694ab0d984921534e5b7111bcb024abb36f7bace052fdeb448e5
Formbook
9325090b7a2b8058a946f11388db15813a8927708aa54bf9aa6b5925f2b22d1d
Formbook
964a32e3b4170aa8a5d45ce250e3abbbd424ee0a9d956ca872d405bdf5abe88d
Formbook
bd1a32d919982c93f90c87338d43be0ba26245407a00c3ddb897eb806d561256
Formbook
c2f1660c8591d5975eb025aba06a188739dc8be2f9308cba2a319dc8603c0b15
Formbook
d4c6f300ccf9337a10d13a66a2b6b956a0e6e9673741f9b88f5811beb3a62829
Formbook
d5a3ea57e5b06d762dac32cf4c4296643a552803e9ff9e80f801f7085b4b891a
Formbook
fe1291793c9992efdb89799f37f0cf50cb9ef51f3a10d97d20431a2e4fadae70
Formbook
fe23294471a62757c45932f4c5f6196585cc44f3ce5d29649868fe49c691ffa2
Formbook
+ 182 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:g2fg persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220105-kz15eaadhl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
5852f167948b3cf3fcd175ed0acc3cd43456ab0aecae4ac68121bde1906bcf39
MD5 hash:
bb66163c0a181098d801f3d6b775f73f
SHA1 hash:
fe4adcf4bf6146cac5b4eb192c99fc0cebba323b
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/03a64a0c-1121-4b60-bd36-d4b64299cbd5/
Parent samples :
8865c82943ba3a6479fca40222a730e22e3d1cd279c6c6e0915c5c47f893636a
71cf991b9060d1fcefd467162ecfe99c89c47da31d29489e299f7bec73d56a83
dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
9092a8499f245641da71311b2f4dcafac1b61c30f1f5d5808fed38f5125cbc57
4cdb484aff91fc4c74a8f2750296212dd12af808fee3e01bf9b8d0feafbd8fc1
c06ba0d73edee0ae9eb7cd4631273d6afb5608b0ebf669cb250b51dfc644cb85
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
92cee18d0c9e246f28b38a8d35442d44f8cc8eab883b5e3e0c3a09ae96de846c
1dfdb77409e4402860f9a644890b904f68d377cc5f9320828aa320b7e835e207
65c55c73382e84ea8a229ba4c65ce12c956b3e86916e343ed6e933a10735e9b1
84e9426e79655328d7e51384cd16697772d5fa8043ef793e4777ec7e3c38c6d0
778fb400067e1de625dfa7e62e7091cc28e75fc44673562dc193f4b486fdcef0
a84d4b61bab51a5eaf7d9b1a96ab450a5057ddbebb4a38617755b6286d19e9a1
83f6940a0fadd38a9a73e859f46173631822ee985037994c6c55b328721d76bf
70d04c9ec5f8c5f8a5c1cd82ad19eee2ddd26145848bc2ffe90d1b51645cac2e
f31ca1220140f0489ddef71cf10ef3636537422acaefd6dd8d9199a942feb128
e98006424a36e34271488f8a584b535b0bdf1650d2da228ec4c2a94e24ca20bb
a2948f7e3c13f7c9a54e44a6bd601ca6b8a3c2d97b7c8d6b28d1475f0caf81b8
80bee5948290fe93aa9aba9789c364c3e71f4d9039ec68a56dc05a4af7b0a502
ad2910f066744846d0233c9eb6643a71fe1643e5a107646b95c88608cddf1ed8
fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
dbb93c60e5e74632af64452fe9ec5acd788140d0eb3231655a47203e86ef6b55
feb40c343aa65f5f5c0a32443535effa22652067c576416857e4d7280ce85e11
cab5f50e805b3a36e0ea6cf84c40b4b90e372fcd2f3f1024664af5440282d496
SH256 hash:
dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7
MD5 hash:
3e19b57f827e4d5df5e09cd5cc115249
SHA1 hash:
01bbbbc3a4f304dbe65e5331f79baa0705f4fb7b
Link:
https://www.unpac.me/results/03a64a0c-1121-4b60-bd36-d4b64299cbd5/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dc8c2ca84a7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe dc8c2ca84a7c5468cfb7b6bf59396e0333c8d145dc08fd1efbbebd9fa0082dd7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1950561/
Cape
Cape
https://www.capesandbox.com/analysis/217405/

Comments


Avatar
zbet commented on 2022-01-05 09:02:21 UTC

url : hxxp://202.55.132.154/windows_ny/vbc.exe