MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177
SHA3-384 hash: 648b61efdeddac022e9efae84e9288f07cdbe171bc9ae79bdbf91c2d4ffd20af8e631b81231a4cbd53f2d3bf173d2ff4
SHA1 hash: 884da678a8110cf9224c0b9a5ac1ede2e86bbbc5
MD5 hash: c5fbab5450dd04e5efc98526faadc9c2
humanhash: cold-apart-butter-iowa
File name:PI.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:831'488 bytes
First seen:2021-09-20 21:52:04 UTC
Last seen:2021-09-20 22:49:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:V5MTdookDsmtiK5oyZzjedl4nIHvVIoNxFDy+DkRmRLquN:b0+Fordiw9tk+OwLLN
Threatray 9'516 similar samples on MalwareBazaar
TLSH T177059DC13D47D89BF4DF6AB3986FC12015656E9D9121C73D26827A2B65F330230ABB4E
File icon (PE):PE icon
dhash icon b282b8a4a6929e9e (23 x Formbook, 20 x AgentTesla, 9 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 21:55:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e893c24-7302-4e65-9b68-27273a98982f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189613/
Detection(s):
SecuriteInfo.com.Trojan.Fbng.68.20253.11477.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/743fd135-a6b0-4dbc-86de-122b0a77c487
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854467
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486898 Sample: PI.exe Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 10 PI.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\PI.exe.log, ASCII 10->28 dropped 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 PI.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 curbside-chauffeur.com 184.168.131.241, 49799, 80 AS-26496-GO-DADDY-COM-LLCUS United States 17->30 32 cname.vercel-dns.com 76.76.21.21, 49805, 80 AMAZON-02US United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses netstat to query active network connections and open ports 17->46 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 17:36:48 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qsibxxazlyhlhfrdma35iakewekjathyzpkj2a4m25cunipyf3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6bcdb1b6795c22308aee5d390cfae409d21a3238a304466dd54c1dee43570afd
Formbook
92b86a3617c61eedc7c080cf52283c060da54017337b6376790e5a34a360fdfa
Formbook
a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
Formbook
b04fb6a2bc53196885c36c1de64a717a47bd0c450f2948999c368cf489e9ffb8
Formbook
c3677d5791ac1a6939f2ab462201f257d9a4707f57bd6ee86d6b4dfa38378e3a
Formbook
c3938c98477bb13ecf6d7fa89e31ccd6fa2324dc0d859b25de6dfa5c1c4b5887
Formbook
c9933f662621bcd9114d34887587e51d6a9e31d525381b68783f865472426a44
Formbook
d2d6a8c31acdd92eb9a005e2fac8838a382ab0425fc01bc88616bda185ab7b4c
Formbook
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
Formbook
ddf9f373e5735daeaea928c67bf342b9a71089ef06b4b9ec4fd8f593f34969e0
Formbook
+ 9'506 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:p5a0 rat spyware stealer trojan
Link:
https://tria.ge/reports/210920-1q3jwafee2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.pivotallogic.com/p5a0/
Unpacked files
SH256 hash:
7450b402b9afbbfe8aa43f3316182e972569b7762aaf64bc2b820c456f9a5991
MD5 hash:
c4959a72ce4a24990799827c5686c0b6
SHA1 hash:
2aa1843be0f21e1dd135ec8dd4e0f9b74efb600d
Link:
https://www.unpac.me/results/9a956997-a9f9-46e3-bae7-0827f911b9cb/
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/9a956997-a9f9-46e3-bae7-0827f911b9cb/
SH256 hash:
965836b89cb91948c108ab885fe8a738f0b87cc25ad908ba23885050317c2690
MD5 hash:
2449c70f29aff22ca212e9323a1871b9
SHA1 hash:
deba074fb938138d5317f951c8caad25fc86d009
Link:
https://www.unpac.me/results/9a956997-a9f9-46e3-bae7-0827f911b9cb/
SH256 hash:
13b12d9a10dd514bb5d3bdbc7350f36d402cdfd9dd584d193f7b36b0b63f100a
MD5 hash:
e2df798c079445be1802de10d7d1f3ee
SHA1 hash:
56ac4652008e1cf8b86a4032a10f2651dec824a6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a956997-a9f9-46e3-bae7-0827f911b9cb/
Parent samples :
fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177
9f6277c9f028bd5ba1acf206a4d9dc8ffcd0624240c095445607bf59de709a6f
SH256 hash:
fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177
MD5 hash:
c5fbab5450dd04e5efc98526faadc9c2
SHA1 hash:
884da678a8110cf9224c0b9a5ac1ede2e86bbbc5
Link:
https://www.unpac.me/results/9a956997-a9f9-46e3-bae7-0827f911b9cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fc2480dee0caf0759cb11b01bea00a2588a48267c65ea4e81c66ba2a350fc177

(this sample)

  
Dropped by
formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/189613/

Comments