MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3
SHA3-384 hash: 3b7c7b734e83f8e7ea164853d3c5905b321f679fbd284c884dc1e0b60ef9ef8a4f7d6968cf1e2fa3c2cac63bfe51fb09
SHA1 hash: 0b5b93dc9e3389de1a3d04c4d03fa5c0532aef1e
MD5 hash: dc27e4474182fe41de857278c2488574
humanhash: cat-apart-ceiling-colorado
File name:ETC-B72-LT-0149-03-AR.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:234'114 bytes
First seen:2021-05-02 06:31:49 UTC
Last seen:2021-05-02 08:06:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 6144:lPXIpTjhnEtGLHJR0EQ88WuxXSnlJNEzoSF3/t22qZrAx/:apStGLHJRC8dnlnDS1H8M
Threatray 5'032 similar samples on MalwareBazaar
TLSH 5834128F3562EAF7DA370572187B22B5EFE6C2361060250F6344A76D39A77C3A60C163
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147890/
Detection(s):
SecuriteInfo.com.Gen.Variant.Zusy.380279.19485.12635.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706390
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402115 Sample: ETC-B72-LT-0149-03-AR.exe Startdate: 02/05/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 ETC-B72-LT-0149-03-AR.exe 19 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\qbii7uu.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 14 ETC-B72-LT-0149-03-AR.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.lookupgeorgina.com 66.96.130.44, 49771, 80 BIZLAND-SDUS United States 17->30 32 shoprodeovegas.com 184.168.131.241, 49773, 80 AS-26496-GO-DADDY-COM-LLCUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3/
Threat name:
Win32.Trojan.Injexa
Create hunting rule
Status:
Malicious
First seen:
2021-05-02 02:33:33 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lggkh3ws65tk62sryh5zp6laya2xsvnb4v5ghxokr4svkhom3rq._file
Verdict:
malicious
Similar samples:
0c0bc5227a0bb8385d2afc010559324b249fbc6a510f2a25c75a93cee924e841
Formbook
0fce851d001cb1a92a7939eb6a9fac428f5fd9750caa9a1981e27fd659c32c03
Formbook
20087dfd9482120735e4e37edc7307b91264632b0c9c7b50a058c100ba186ece
Formbook
36ac85986999d60ef2bcf74e50d27daa1bfbf6c4815e6fb5e5dc1547d8dcb8c9
Formbook
4fe5115259b2c032f03275273349549ab896959c818d771a4ad755ce64866379
Formbook
5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e
Formbook
6120294360629da33cd6f897de16401325be12ae2cd9dcc03857de7e0b4f94e4
Formbook
6f4fbab85c58d588450bc856ceff3894645e0033b4c4d2684184a8430c01daa4
Formbook
8503c4ec4121647a225068e8defe8ff2e4cfc61a94dcd3c261ec5acf38dfa73b
Formbook
913b12686b62bfbaa6cd0169c2b37bb2d06d095335f3ac14047ec49d3a755b2d
Formbook
+ 5'022 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210502-p1qrnhvefe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.shoprodeovegas.com/xcl/
Unpacked files
SH256 hash:
7449a16fc696e45fa2c1b96c9d2c785b9f54cca48c453f764fcaed0031943bac
MD5 hash:
aa71628f8f750412e5598782696963c7
SHA1 hash:
5dd7ab9fce05bd2c5a72880983878846280f2cfb
Link:
https://www.unpac.me/results/9d8fe424-d49b-41ad-b06e-2a9f7abb7258/
SH256 hash:
facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3
MD5 hash:
dc27e4474182fe41de857278c2488574
SHA1 hash:
0b5b93dc9e3389de1a3d04c4d03fa5c0532aef1e
Link:
https://www.unpac.me/results/9d8fe424-d49b-41ad-b06e-2a9f7abb7258/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/facc651f7697bb357b528e0fdcbfcb0601abcaad0f2bd31eee54792aa8ee66e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/147890/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-02 07:04:13 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.001] Data Micro-objective::CRC32::Checksum
1) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0048] File System Micro-objective::Delete Directory
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0050] File System Micro-objective::Set File Attributes
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread