MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe
SHA3-384 hash: cb3854827a609b06358552984886f5dec04b4c114f51744bbdfb9bd37b595870c29cc9f832b80ea3a134e9cdd0ea3648
SHA1 hash: 95e91ec34debdc0e4817d90caca87897f4febe98
MD5 hash: e7d7f8b02dd023f31b46e5bb265c7224
humanhash: carolina-east-georgia-hotel
File name:SPECIFICATION REQUEST.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:939'520 bytes
First seen:2021-01-27 06:56:41 UTC
Last seen:2021-01-27 09:04:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Da1vFBy6byykqanLIpUrbxujgRzDNFC8YEIGKEbyX6/VwbN4+vtE+LtZ/NRMiWid:21vFBy6by7ngjgRVFjlIGnbnwqYTfV
Threatray 3'646 similar samples on MalwareBazaar
TLSH 1215BF2173189F5AF03F57F4C164244093F6B82BE325DA8DBCE694EF6550F80D662AA3
Reporter Anonymous
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPECIFICATION REQUEST.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-27 06:51:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/15a794a2-cb10-4093-88fa-b647f9415586

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114025/
Detection(s):
SecuriteInfo.com.ArtemisE7D7F8B02DD0.15345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/591556
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344818 Sample: SPECIFICATION REQUEST.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 6 other signatures 2->43 10 SPECIFICATION REQUEST.exe 3 2->10         started        process3 file4 27 C:\Users\...\SPECIFICATION REQUEST.exe.log, ASCII 10->27 dropped 13 SPECIFICATION REQUEST.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 toprestau.com 64.92.125.40, 49733, 80 MASSIVE-NETWORKSUS United States 16->29 31 bistrolartichaut.com 34.102.136.180, 49735, 80 GOOGLEUS United States 16->31 33 6 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 wlanext.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-27 06:57:06 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rju2m7rqorsdjch73y7332mrj72pbatzuk7spprhi47bkfzwl7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
Formbook
07b296fafcefb5dbbf7148a96fc968664011aca0070b72732fb00886fbea9741
Formbook
187785c7830aff67dd03a3bf3a067e9b760cb76f7367ee42c8e4b9c92b78d2e2
Formbook
420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
Formbook
ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Formbook
c383b5258941145e0402f4d3be4b2f0c19dbcb842f9d2954e1acf8806a1b9800
Formbook
c3d490568e73f61c86d2d4c01e170bdcf3c0d3eb5e309ff3d3fb808a4a867a54
Formbook
c9bc1c7f21e628959622a569b2a4221b8a4cbcc34f3d01684da97bea5cd9caf7
Formbook
da8c31096f9e2ffc9a1fea4a63d6440cfda55349845300b4f333a02317c73dde
Formbook
e38e6ac839b8009c1c6d467ed4206f912c39a15af7a1fa7ba4a2a854e441fe50
Formbook
+ 3'636 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210127-zr2gbf4hqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bistrolartichaut.com/gbr/
Unpacked files
SH256 hash:
5bca980ccf29eb49991fe32081f5288d16439fb728873f12287cebf7e1b8055b
MD5 hash:
b89c511a527938cfd3b9f9e43500d10e
SHA1 hash:
636fcef891230b2695d73a4ebd84bbc045bddb16
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fd8acdd7-76b9-42a5-a343-0308b8d61b83/
Parent samples :
fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe
77b804f939b12235effeb7fa92d705f3604df969fda44f342a96a87b8f9ff4ab
8b19a16ac91b9d47a91f5c5036db519afaf66dfc48d617355a5364eeaf6074a6
dcba694f14ff8249e4d87b0002fd1a69ce2aa13d6d08d9ecffadb4cef9f6e329
SH256 hash:
d8433872e1483b0356020de84a74cc6c5d1054ea3eb5d7310a6408d751ab3c97
MD5 hash:
d23c19ad08c9960820801a6032e56a6d
SHA1 hash:
6c25b0a3160ce13bccae471ccc3234a64f5c3a7a
Link:
https://www.unpac.me/results/fd8acdd7-76b9-42a5-a343-0308b8d61b83/
SH256 hash:
ac4512c817c309261d8198967719f4e284f6b701a81c0ccc58d64c81aeb9048a
MD5 hash:
f7b258e18e4a156535d10710b26d0f4e
SHA1 hash:
402934203483bb6e2afa1705905c470a374bb44a
Link:
https://www.unpac.me/results/fd8acdd7-76b9-42a5-a343-0308b8d61b83/
SH256 hash:
fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe
MD5 hash:
e7d7f8b02dd023f31b46e5bb265c7224
SHA1 hash:
95e91ec34debdc0e4817d90caca87897f4febe98
Link:
https://www.unpac.me/results/fd8acdd7-76b9-42a5-a343-0308b8d61b83/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc534d33f183a321a447fef1fdef4c8a7fa78413cd15f93df13a39f0a8b9b2fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/114025/

Comments