MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1
SHA3-384 hash: 5a5f5f65e5ad3390f904ddf4f20547b02af88dcdf9392aea777aa519f93f28d2375b17dbb7dec9c73d1428108f1dcdb4
SHA1 hash: 0346a121d296f19edc1c3ee14149aa0e84a76e77
MD5 hash: 97ccb52c7c644dd07b5ffdff93224863
humanhash: oscar-california-cup-winter
File name:97ccb52c7c644dd07b5ffdff93224863.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:471'133 bytes
First seen:2021-12-14 16:47:31 UTC
Last seen:2021-12-14 18:44:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:DW3QYwHoeG5ahJz+tx7o/90OAdJ+Sf+gwNTp:D2J+oeeaCtdoAH+Ofi
Threatray 12'243 similar samples on MalwareBazaar
TLSH T17FA4234A75C25932FFE64B7A22F9D734E7BEC42917E1460B8FD44F05A933042E629272
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97ccb52c7c644dd07b5ffdff93224863.exe
Verdict:
Malicious activity
Analysis date:
2021-12-14 17:22:55 UTC
Tags:
installer
Link:
https://app.any.run/tasks/cb476e6f-da48-4fc2-a41f-0b59dcaab814

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214053/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.6017.14998.23611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61b8caccdb84542d41bec1a7/reports/372ae30b-4a27-43ae-8eb4-ac65ba4ec981/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bcda165-80f2-43ce-a710-07557364cc57
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/907268
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 539742 Sample: qcCYNXFl0b.exe Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 5 other signatures 2->50 9 qcCYNXFl0b.exe 17 2->9         started        process3 file4 26 C:\Users\user\AppData\Local\...\bqrouqjcs.dll, PE32 9->26 dropped 52 Tries to detect virtualization through RDTSC time measurements 9->52 54 Injects a PE file into a foreign processes 9->54 13 qcCYNXFl0b.exe 9->13         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 Queues an APC in another process (thread injection) 13->62 16 wlanext.exe 13->16         started        19 explorer.exe 13->19 injected process8 dnsIp9 34 Self deletion via cmd delete 16->34 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 Tries to detect virtualization through RDTSC time measurements 16->40 22 cmd.exe 1 16->22         started        28 www.yuanyiyouxi.com 19->28 30 www.guccibuys1.cloud 19->30 32 parkingpage.namecheap.com 198.54.117.216, 49881, 80 NAMECHEAP-NETUS United States 19->32 42 System process connects to network (likely due to code injection or exploit) 19->42 signatures10 process11 process12 24 conhost.exe 22->24         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-13 18:03:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63ha3ta3re27ng6b2oxx4usplphi2kd6spiojhf5bwz4cqwtcwyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14642e431716be5f43044de68f915037e0358a401f59e490f5370cc5563a1a23
Formbook
3662913e3004f6e3811499a9877265b55fd4b99400607d2f4b4168dc2621f1ab
Formbook
3bc25439a27fa2e9385f42bfc9b9a6caa56dc076ccc07fd2aa4684c0292c9622
Formbook
52c5a7bea43160bab3e96178238af584fbcf648172ef43517c71e755526756f6
Formbook
5dad6b254fb40bb4c090f5048e07da656821a4b6b163c6548287c3d91dcfda45
Formbook
8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc
Formbook
b8c628fdb35b1082bfe51ee070939de02a265a74adc8c4b35552076cd8dde378
Formbook
da2458789c338c2719661254515dba2fc92c21ef91a11da3d192a6542ca56814
Formbook
dad44254738682bad3b4582fa66217c68abcc3a8512a825c2f1836e5bbd94c3c
Formbook
dc47322035d2b5d35802751c248f3953a8383997345965d0696ce01c541a7846
Formbook
+ 12'233 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dy26 rat spyware stealer trojan
Link:
https://tria.ge/reports/211214-va4jcahbbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yukotopia.com/dy26/
Unpacked files
SH256 hash:
f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1
MD5 hash:
97ccb52c7c644dd07b5ffdff93224863
SHA1 hash:
0346a121d296f19edc1c3ee14149aa0e84a76e77
Link:
https://www.unpac.me/results/3aa25572-e049-4fff-b1e7-251285d17905/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f6ce0dcc1b89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe f6ce0dcc1b8935f69bc1d3af7e524f5bce8d287e93d0e49cbd0db3c142d315b1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1868884/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/214053/

Comments