MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dccfc975065a099ebeef539e8b55204c0bb0f234113b8b4dec6ce830b829ae68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dccfc975065a099ebeef539e8b55204c0bb0f234113b8b4dec6ce830b829ae68
SHA3-384 hash: 9460820c096f4dbb363969b281fe461290d6d0c834d8f4180c1ca19a774b4dea526913b77239d956804b68918eba4840
SHA1 hash: 0a58b60e269b65813eaf85f708b5b3cc57fef636
MD5 hash: bf15d17b336bbed465648db314e9be96
humanhash: indigo-cup-monkey-avocado
File name:January - February Wholesale & Supply RFQ-Selections Items_202112_13.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:522'651 bytes
First seen:2021-12-21 12:00:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:Ha1Ez8nD2XRpFi/JOg8O7nq0O1m+uALnWr5Myhai45qN65V:61u8DQXQ/t8cnjO1m+uALn259VOqA5V
Threatray 12'566 similar samples on MalwareBazaar
TLSH T1A0B42358E9894EA7C9294F7160F8FB15DBBA7F4452158CF38B1D7D9223B2342983C0E6
File icon (PE):PE icon
dhash icon 07130323210f0c0f (1 x Formbook)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
January - February Wholesale & Supply RFQ-Selections Items_202112_13.exe
Verdict:
Malicious activity
Analysis date:
2021-12-21 12:09:23 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/895bcbb2-cc21-47ba-8613-4b120f59a8fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215638/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2840/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61c1c1ceec6c6c14a9e7730c/reports/5a2cbb07-073b-47d4-8147-c351d33cf642/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c76987bb-c7c9-4bfe-968f-da95d2b5e577
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910914
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 543388 Sample: January - February Wholesal... Startdate: 21/12/2021 Architecture: WINDOWS Score: 100 35 www.lmgt.one 2->35 37 lmgt.one 2->37 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 12 January - February Wholesale & Supply RFQ-Selections Items_202112_13.exe 17 2->12         started        signatures3 process4 dnsIp5 39 192.168.2.1 unknown unknown 12->39 33 C:\Users\user\AppData\Local\...\yumlmbdq.dll, PE32 12->33 dropped 65 Injects a PE file into a foreign processes 12->65 17 January - February Wholesale & Supply RFQ-Selections Items_202112_13.exe 12->17         started        file6 signatures7 process8 signatures9 41 Modifies the context of a thread in another process (thread injection) 17->41 43 Maps a DLL or memory area into another process 17->43 45 Sample uses process hollowing technique 17->45 47 Queues an APC in another process (thread injection) 17->47 20 explorer.exe 17->20 injected process10 process11 22 WWAHost.exe 20->22         started        signatures12 57 Self deletion via cmd delete 22->57 59 Modifies the context of a thread in another process (thread injection) 22->59 61 Maps a DLL or memory area into another process 22->61 63 Tries to detect virtualization through RDTSC time measurements 22->63 25 cmd.exe 1 22->25         started        27 explorer.exe 2 152 22->27         started        process13 process14 29 conhost.exe 25->29         started        process15 31 conhost.exe 29->31         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dccfc975065a099ebeef539e8b55204c0bb0f234113b8b4dec6ce830b829ae68/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-14 03:33:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3th4s5igliez5pxpkopiwvjajqf3b4ruce5ywtpmntudbobjvzua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00f38651e028591175cc482289f6ceabfed9592b7176a24d8f00999ebb0bf996
Formbook
2f08f5b23a062671fba5957b98d05a728299bb1ae98695b9b5d36e75528ccab7
Formbook
454e6a9fe16097791104b2cd31527b96f616c040fd202bacd602155bc3299166
Formbook
696ba6fed0994cac4e47993f336820499cd3faf3ce4713d4e0be0ea0d91748af
Formbook
a48338ad920df299184caed650b6105804c67269494766bdb8651f4d288b8a0b
Formbook
b21bb739e3596952c4a2c91442e5e3e2785c0be27c59e452ff3d6f2565e318e6
Formbook
b94f37134c31d499c2e8e3d952cb81c1453d211d1ecdfc2eaa32cc8f6b5c5604
Formbook
b9b0ce10496a723998fd40bd2662d231e6135c465000d319b708736570d0bd09
Formbook
cdbd429589993cd6933f05398fcb85c422405abd08d73ab35b640da0acf404a8
Formbook
fcc9a8bcf0f3ce38b65db3c62f942f77f537acb4a17ac2fd8a6a8293ea896fb9
Formbook
+ 12'556 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:bnq2 loader rat suricata
Link:
https://tria.ge/reports/211221-n6cbeaeben/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
dccfc975065a099ebeef539e8b55204c0bb0f234113b8b4dec6ce830b829ae68
MD5 hash:
bf15d17b336bbed465648db314e9be96
SHA1 hash:
0a58b60e269b65813eaf85f708b5b3cc57fef636
Link:
https://www.unpac.me/results/ce19f7f7-796d-432a-b125-02dee8e04893/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dccfc975065a099ebeef539e8b55204c0bb0f234113b8b4dec6ce830b829ae68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dccfc975065a099ebeef539e8b55204c0bb0f234113b8b4dec6ce830b829ae68

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/215638/

Comments