MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7
SHA3-384 hash: 2c0c891d0f924822a9dce31b5f13ca9e1836fa4aea79604f58f849a57f994f66516fe2623988f4f1467c39f21ada9676
SHA1 hash: 8686f13637b67b67317e4d6b286841288f4862c2
MD5 hash: c40b1208ce573db32ee32dfffc799442
humanhash: east-texas-berlin-maryland
File name:c40b1208ce573db32ee32dfffc799442.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:832'000 bytes
First seen:2021-01-29 09:00:55 UTC
Last seen:2021-01-29 10:54:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:Wqfu19H0+veX+knfaQRGtUvpVRlbBtqKuCwaBJaB5:WUfXhb0M7bBtq9Zava
Threatray 3'668 similar samples on MalwareBazaar
TLSH C9057BD2FC16EAD0D3A0CEB1D013C9F846353FA9D86191932D60BD9A367FF524B91A06
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c40b1208ce573db32ee32dfffc799442.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-29 09:12:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa42ac51-44b2-48d2-a43c-e76bc322acc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114695/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.8179.17824.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/593725
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 345904 Sample: 6tivtkKtQx.exe Startdate: 29/01/2021 Architecture: WINDOWS Score: 100 31 www.seronofertilitymeds.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 6tivtkKtQx.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\6tivtkKtQx.exe.log, ASCII 11->29 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->55 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 6tivtkKtQx.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.heliaoyixue.com 198.44.180.4, 49736, 49762, 80 VPSQUANUS United States 18->33 35 www.redirect.space 150.95.255.38, 49759, 80 INTERQGMOInternetIncJP Japan 18->35 37 24 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-27 15:00:02 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76haifeaabli7xnvlqmgspkk56dy3rutw6m2zskbwdglvvkumttq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d87d74fe3b493880a672905108416227b6a2996eae2da3d8226cf65ae8ade26
Formbook
238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
Formbook
41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
6a048c6c5339d2b401597623a0fd5141202679f87cebe7f2a89aec66254e789c
Formbook
81e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
Formbook
9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1
Formbook
b88d84be2994a05ac716dac99a689356d8c7ecbd541989a5339be403da909430
Formbook
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Formbook
d1d418f59229c360cde5d3e812c04917c9e38a3001dedb2a138be94419af8aac
Formbook
+ 3'658 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader evasion loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210129-k66n45x43x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.h-v-biz.com/c8so/
Unpacked files
SH256 hash:
205f2dd5e872980bbdbfefe07483d4f3f569f286ee7c6ffb1ef229b1d89d678f
MD5 hash:
60b2ecb4a4243aaf2b6b96006611bdf5
SHA1 hash:
b5ef78f1223cb95f8cb609b5c5e726513afd0ade
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a58e6046-eae0-4d2f-a6c1-e75160bbf6ff/
Parent samples :
81e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
41440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
6a048c6c5339d2b401597623a0fd5141202679f87cebe7f2a89aec66254e789c
ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/a58e6046-eae0-4d2f-a6c1-e75160bbf6ff/
SH256 hash:
e2b44a118f4afa6b3968c1ecc49ac5fa2462d53caefd9d7542fc7e1e405ce880
MD5 hash:
b6a08fd5c4c31c965b4348a32d76677f
SHA1 hash:
b95d84e9cacb94dabd39392b7af22bd1e0665da1
Link:
https://www.unpac.me/results/a58e6046-eae0-4d2f-a6c1-e75160bbf6ff/
SH256 hash:
ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7
MD5 hash:
c40b1208ce573db32ee32dfffc799442
SHA1 hash:
8686f13637b67b67317e4d6b286841288f4862c2
Link:
https://www.unpac.me/results/a58e6046-eae0-4d2f-a6c1-e75160bbf6ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe ff8e04148000568fddb55c18693d4aef878dc693b799acc941b0ccbad55464e7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978567/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114695/

Comments