MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c
SHA3-384 hash:	79e713a613f4208e9fc9c60cf6b2345399bee5b1afc554bf6d149fa6a299d08e0fb4fc7e89162ac006ac9aea6a9afc42
SHA1 hash:	79722fc086458b2fef063047ed56360096dbccc9
MD5 hash:	ec7465664bc2345ef248e248a1b5899d
humanhash:	king-charlie-helium-paris
File name:	file.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	189'952 bytes
First seen:	2021-09-28 13:06:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:b7HWB2kB5JN+t13WUBmtqzbZSiq6zVmHpyxof++11M612b:nsxGZWsmUzbsiq1O7+1mk2b
Threatray	9'960 similar samples on MalwareBazaar
TLSH	T1FE04AE36E642C031E1B251B5F67D0B7B483E4E353294A4EAE3F115E16FA49A5B03A31F
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2021-09-28 13:12:05 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/1f6c743b-7f4b-4b2a-8803-cdebc7e545ba

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PWS.Banker1.29984.UNOFFICIAL

Win.Malware.Formbook-7399661-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Launching cmd.exe command interpreter

DNS request

Connection attempt

Sending an HTTP GET request

Possible injection to a system process

Unauthorized injection to a system process

Deleting of the original file

Unauthorized injection to a browser process

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09620ef7-d023-4fb4-bf4c-ea8abb92a1eb

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/859859

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-09-28 13:07:04 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3txflsmjm4ksolh5grfhuyx6nro34dtb27mfjc7o3jdmcw6y4b6a._file

Verdict:

malicious

Label(s):

formbook

Formbook

62ee412123d6e8832cebbf33d84d5695adc4fc2d66f0ec7222d9ccd5f21d4866

Formbook

67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0

Formbook

6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca

Formbook

972f5e016ffc306524d7083a5a5058ba8b5fc60f3db9f3c0915db59c0523a487

Formbook

9d503fba930fcf9724778a17659948875302b2fc7148c82779c29dfc18fb8cc3

Formbook

a2d7a6453efd6b8c31af2e225ae7f93064d44fe328b5bb2e530d820e5e6ca5f8

Formbook

b25ef1151578640a5bb9e01fada60a8792fc4d3e92f3ddabf19ba4cd6d630f57

Formbook

cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753

Formbook

daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a

Formbook

+ 9'950 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:j3gd rat spyware stealer trojan

Link:

https://tria.ge/reports/210928-qcmldscae4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.fracturedmindset.com/j3gd/

Unpacked files

SH256 hash:

dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c

MD5 hash:

ec7465664bc2345ef248e248a1b5899d

SHA1 hash:

79722fc086458b2fef063047ed56360096dbccc9

Detections:

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/6ef7806a-d451-426e-9814-702e2bce5979/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/dcee55c98967/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/dcee55c9896715272cfd344a7a62fe6c5dbe0e61d7d8548beeda46c15bd8e07c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample