MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
SHA3-384 hash: 50caf70477b663ee63a3947a8482056d281377227d019a945370f8df281d73f2c13946d21bf9e7b75d431fb3723ff837
SHA1 hash: 2605ad8396b5ea90c8a371fdb76c58b12931d66c
MD5 hash: 44d628546ab1eff55064627d70a3cb27
humanhash: early-quebec-eight-timing
File name:Signed PO801221651.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:230'413 bytes
First seen:2022-12-12 16:17:49 UTC
Last seen:2022-12-12 17:33:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn19gIhWchRDSM2RnW9hCcftsLzSjW3qoC6mD:gqPc7SMYnWTCUtTK3qoC9
TLSH T1E234137566E644BBE51346320932CA35E6F7EA0518046BC32FE08FBA78797E3E4DE441
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Signed PO801221651.exe
Verdict:
Malicious activity
Analysis date:
2022-12-12 16:18:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e191ff9d-199b-43eb-af73-17a9174379f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/345517/
Detection(s):
Porcupine.Trojan.Win32.Formbook.gen.59397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6397543b04e0e79bdf4274b8/reports/f212f89e-7fb0-4e71-bcac-6ad45d061f84/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/113a0152-8e68-4460-9699-0d0b70cc3f01
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132816
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 765539 Sample: Signed PO801221651.exe Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 26 www.nu2uresale.store 2->26 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 3 other signatures 2->50 9 Signed PO801221651.exe 19 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\bunrjzni.exe, PE32 9->24 dropped 12 bunrjzni.exe 9->12         started        process6 signatures7 52 Multi AV Scanner detection for dropped file 12->52 54 Maps a DLL or memory area into another process 12->54 15 bunrjzni.exe 12->15         started        process8 signatures9 56 Modifies the context of a thread in another process (thread injection) 15->56 58 Maps a DLL or memory area into another process 15->58 60 Sample uses process hollowing technique 15->60 62 Queues an APC in another process (thread injection) 15->62 18 msiexec.exe 13 15->18         started        21 explorer.exe 15->21 injected process10 dnsIp11 34 Tries to steal Mail credentials (via file / registry access) 18->34 36 Tries to harvest and steal browser information (history, passwords, etc) 18->36 38 Modifies the context of a thread in another process (thread injection) 18->38 40 Maps a DLL or memory area into another process 18->40 28 www.cpitherapy.com 178.128.239.245, 49700, 49701, 49702 DIGITALOCEAN-ASNUS Netherlands 21->28 30 www.p-soils.com 162.43.120.154, 49703, 49704, 49705 CYBERTRAILSUS United States 21->30 32 4 other IPs or domains 21->32 42 System process connects to network (likely due to code injection or exploit) 21->42 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 14:12:05 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43cmeuovjaoamxrd2ibgecvc2lioxr7e2fm2oddkzhrxpacnuw7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:m5oe rat spyware stealer trojan
Link:
https://tria.ge/reports/221212-trx78abg73/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4f35e645-4b64-44fc-959f-2b9f1cd4b557
Unpacked files
SH256 hash:
1e050e7b9dbeaeef5a13fd50f97d96dc6a7bf16c5977955750f5af8c18bd6a99
MD5 hash:
1e8d6d450d4d29021a1492aa95936706
SHA1 hash:
843c7823b2bf5b08745cc4070b6baaf0e77d343b
Detections:
XLoader
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/8c47fd34-f208-4996-aa79-21b305c49b54/
Parent samples :
90212e18e6b4b235bbb6f4083bd0a2c491e0be12edc600199eb0ed0839d9a554
7c470477c32979be016bffc98f861acc089861a6a2ba015aed73d769774370bf
4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529
937c7c476bb363e55fdf1ff275c87de91ec0f550072e9a759387cc95e6c78c83
933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603
05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b
e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
91218386ed25d62220408973a03c76b8c4fc44512a60eabd0e437b2bbd10e7d4
SH256 hash:
9710dc374fe631ea03575f6159156c1a105b2da641af25593c016327a0b5691c
MD5 hash:
e0e19eb3bb4dc912f4ad29c31d3a35f7
SHA1 hash:
36ae39734e7d6475e92387f05a184daabee1fb40
Link:
https://www.unpac.me/results/8c47fd34-f208-4996-aa79-21b305c49b54/
SH256 hash:
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b
MD5 hash:
d521de81fab51fde9dba5153ae206e27
SHA1 hash:
8cb91b5b6d0eb823268ef46888faddd08f1dc47a
Link:
https://www.unpac.me/results/8c47fd34-f208-4996-aa79-21b305c49b54/
SH256 hash:
e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
MD5 hash:
44d628546ab1eff55064627d70a3cb27
SHA1 hash:
2605ad8396b5ea90c8a371fdb76c58b12931d66c
Link:
https://www.unpac.me/results/8c47fd34-f208-4996-aa79-21b305c49b54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.18
Link:
https://yomi.yoroi.company/submissions/e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/345517/

Comments