MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
SHA3-384 hash: 60c4f88f087df4d5319d32af3336c43a32fb93dd0c995d624428bf5399096bfd4334f415df1bf68e8417542a5a3f7b05
SHA1 hash: 100a7fc3b0839885d31f4a51690ec5d4630c71c6
MD5 hash: 3fc1d6d6ead9c444d3a444484b339318
humanhash: snake-mike-princess-alaska
File name:U prilogu je predracun.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:797'696 bytes
First seen:2022-01-25 10:56:30 UTC
Last seen:2022-01-25 11:53:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88dccac4d9ae025e5fe6a132e4dc45bf (1 x Formbook, 1 x RemcosRAT)
ssdeep 12288:ovz2X7tyLZWi55PFwA6qhu6IFRJ9cPuGhHZcL+5zZQDyDW7T3bnvw:obKEki55PF5XhzEJS2GhHZcetPKT7v
Threatray 13'522 similar samples on MalwareBazaar
TLSH T1C9058D12B3D18937C1376AB48C5F87A8982AFE112E28798B3BE42D4C5F357413529F97
File icon (PE):PE icon
dhash icon b670390284e2da70 (14 x Formbook, 3 x RemcosRAT, 3 x AveMariaRAT)
Reporter GovCERT_CH
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
U prilogu je predracun.exe
Verdict:
Malicious activity
Analysis date:
2022-01-25 11:02:52 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8fe74b0b-3d9c-4a0a-b185-372d63bcd758

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222371/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.35298.12790.6814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Searching for synchronization primitives
Reading critical registry keys
Launching cmd.exe command interpreter
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5074/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger packed replace.exe
Link:
https://www.filescan.io/uploads/61efd780f81da814afa34ff7/reports/fe11d336-fc12-42db-a17a-cd28430b13a9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88515d51-2c89-44ca-a71f-42bfd6ec6376
Result
Threat name:
DBatLoader FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/926986
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 559468 Sample: U prilogu je predracun.exe Startdate: 25/01/2022 Architecture: WINDOWS Score: 100 35 www.piiqrio.com 2->35 37 www.believeinyourselftraining.com 2->37 39 2 other IPs or domains 2->39 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 4 other signatures 2->59 10 U prilogu je predracun.exe 1 17 2->10         started        15 Rchzcyirlz.exe 13 2->15         started        signatures3 process4 dnsIp5 43 cdn.discordapp.com 162.159.134.233, 443, 49742, 49743 CLOUDFLARENETUS United States 10->43 31 C:\Users\user\Contacts\Rchzcyirlz.exe, PE32 10->31 dropped 33 C:\Users\...\Rchzcyirlz.exe:Zone.Identifier, ASCII 10->33 dropped 69 Writes to foreign memory regions 10->69 71 Allocates memory in foreign processes 10->71 73 Creates a thread in another existing process (thread injection) 10->73 17 logagent.exe 10->17         started        75 Multi AV Scanner detection for dropped file 15->75 77 Injects a PE file into a foreign processes 15->77 20 logagent.exe 15->20         started        file6 signatures7 process8 signatures9 45 Modifies the context of a thread in another process (thread injection) 17->45 47 Maps a DLL or memory area into another process 17->47 49 Tries to detect virtualization through RDTSC time measurements 17->49 51 Queues an APC in another process (thread injection) 17->51 22 explorer.exe 17->22 injected process10 process11 24 Rchzcyirlz.exe 14 22->24         started        dnsIp12 41 cdn.discordapp.com 24->41 61 Writes to foreign memory regions 24->61 63 Allocates memory in foreign processes 24->63 65 Creates a thread in another existing process (thread injection) 24->65 67 Injects a PE file into a foreign processes 24->67 28 DpiScaling.exe 24->28         started        signatures13 process14 signatures15 79 Modifies the context of a thread in another process (thread injection) 28->79 81 Maps a DLL or memory area into another process 28->81 83 Tries to detect virtualization through RDTSC time measurements 28->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2022-01-25 05:44:41 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62ogps7u5d36nuhzcv66tffybzxlb55skhomiymubviwlecvmqhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
40a298c96e7be4f585a294ae8453cae3ba5628702462d5101ea607963041c9ad
Formbook
889a99efe47a7cd2f2ee5797086d76e5811f9502047d9be1c6cbc1dc815c57fe
Formbook
8fb0895d475560584335f48db057beb1840bbf685f180f46c53eb8aa8d8ec676
Formbook
9c558e9f026119bab2580c1e38533870d351b1e01e65341427194504e2cdf490
Formbook
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
Formbook
b96d8904afc128bf96f360fb2702b6eb0d4d70ae6cbf32e7e4bbdd90ff884a04
Formbook
f79690a1d55d2a07ff407ca6a7e74dfc8097d9c63d6fa59adc2e03c73d39290b
Formbook
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
Formbook
+ 13'512 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:pvxz loader persistence rat suricata trojan
Link:
https://tria.ge/reports/220125-m19jaaedhj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
ModiLoader First Stage
Xloader Payload
ModiLoader, DBatLoader
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Unpacked files
SH256 hash:
9cebbcef1bd6016dfebf4c69f4c49501d914d5a8607777eba952d7ad40346f9a
MD5 hash:
322f2da5c29542aaecc9ee17e1fe7f00
SHA1 hash:
734c432e2595d53c82ee28604f909d3390018dd8
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/aa7fa84b-5bba-4f3c-8586-2071aca6b02c/
Parent samples :
a7d0cff6a05994c0ae576fa842e44a101879317f62466923f1d96adee2c4a898
770c04c7c3a53d584af17e38e8e3fe5767d431e26ca59b4dc20de71045354295
c1bd90e8816e506f387b5552b7487423da84b9818cf4e94f175ed7206cffe4f5
b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e
bed2b6abf700b607d4f856c63832bae23f4120a8786b5af4cbdaa0d8525a47bc
0d9facf6b7073de4e3db19eb64e80589d98cfe35b66942191390a891bb8b241c
3add41c98717984fa6f6d1bff7b1506024e2d91932b60a43810498c44daaef86
ddfc4415217ec461350071b0965a1132ad43472bdc15980da23c46d8f1da188e
b5cea089bb899e75deef98dc1569dc3af17a070f6fa594377b49299d63bbbd8f
7b2232160ba59858c112d6dcb2252701cdb5c1e38b216fb046bd13718c2716ce
b83152fc7fc7aa9950add1de9c3d12e107e3b6eb481c1a368018ed26d3792cdc
0ba0cd39397ce42a5a678b0ef803f99267dc16de6383f61107e298633e23e436
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
cab0b398ecbf051d2fefcd25624c8f2b8119d52304c4e9836ede3b5391119fe6
4e837a08dd24b1f710c6fce10f974a49141decf103d6aeb290c0d36bba75121b
7a5846b1a7c0bbada0892d8b315bef3b4682192268da9ea779e98449681dd7ed
94ca0af32ea93d62fa355e450747ae9755c5dcd09e7b4186cd5bd04d7fc56565
0183d2fd44e215d6dc408bec45db9767a765767737b737032ff97e75adca46cd
5a04697834016e869389ef0d6a08656669cf5597fe0a6378a993250d311482e3
01e537ab28cea013b9a08939057369aa9369e8ff009231cb95101dc24348bb2e
76389098be8a410aaf6b21297912f6ef745db6e8a2f2aaaddda8685bd91091c3
662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
7793e93512bcef7b9d90de59ef17b8771ecc9da854da2f4c8b3be8ba3c5a2c20
SH256 hash:
f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f
MD5 hash:
3fc1d6d6ead9c444d3a444484b339318
SHA1 hash:
100a7fc3b0839885d31f4a51690ec5d4630c71c6
Link:
https://www.unpac.me/results/aa7fa84b-5bba-4f3c-8586-2071aca6b02c/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f69c67cbf4e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f69c67cbf4e8f7e6d0f9157de994b80e6eb0f7b251dcc461940d51659055640f

(this sample)

  
Dropped by
xloader
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/222371/

Comments