MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
SHA3-384 hash:	53e29f938687d7725fb6a91ca19ff9fa31d18c91931c4a7d8b189e2f5f98485b1bbb4deb12bd07245923c4992286c842
SHA1 hash:	a2bee1c142d50ef4f821e30eae5a1a30efa8f009
MD5 hash:	095d3e149a73c5daa7da04428ee3d561
humanhash:	sink-music-avocado-edward
File name:	PO#652.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	353'280 bytes
First seen:	2021-02-18 07:40:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	6144:vv0M3Nkx/86kMUoM4fonNsK1UQR24dkyc1QCPBvHgy8DPlJB7F9GzypL1yO42s2b:vcM3H6kM7gnRBR24yRPBPgy8DNFwe7ya
Threatray	3'805 similar samples on MalwareBazaar
TLSH	C374BE9CF994768ECC2BDC72CEB82D64AB9028B6737AE207B11315D9591C497CF1D0B2
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: curlze.site
Sending IP: 185.31.160.145
From: OVOL Sdn Bhd <A.zaki@aminternational.ae>
Subject: Purchased Order - victim-email - PO#652
Attachment: PO652.xls.z (contains "PO#652.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/117691/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Launching the process to change network settings

Sending a UDP request

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/611203

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2021-02-18 07:41:08 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vd7g275getuos33r2p7wg5nack2ewupqmf475n6o7dbt7vwtqvya._file

Verdict:

malicious

Label(s):

formbook

Formbook

149bc7bb666f2eabcf946822bd316709ddeeef787f059687415f98c71ad47783

Formbook

170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d

Formbook

1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663

Formbook

45fda70b08542ae52a8228a61e317973f42b477583841e384e9817d7d2dd3709

Formbook

5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d

Formbook

5ec36ac5ba843f29bb0dc75d7d527ab9cee34a681bad704a89fd5ed12cdea337

Formbook

67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96

Formbook

6a37a2a65393b805bbe4e7e4e42b642da433e9caa7436aaeb9df8ab0fc6679b9

Formbook

a4ed754c1a38fd8fc24bb4ec7f5da899c254df070bcc8cfd7b16778701c4b72d

Formbook

+ 3'795 additional samples on MalwareBazaar

Result

Malware family:

xloader

Score:

10/10

Tags:

family:formbook family:xloader loader rat spyware stealer trojan

Link:

https://tria.ge/reports/210218-rfzzmvyx8j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Xloader Payload

Formbook

Xloader

Malware Config

C2 Extraction:

http://www.sunsfactory.net/m3de/

Unpacked files

SH256 hash:

a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570

MD5 hash:

095d3e149a73c5daa7da04428ee3d561

SHA1 hash:

a2bee1c142d50ef4f821e30eae5a1a30efa8f009

Link:

https://www.unpac.me/results/5032fbd6-8ef7-4b91-a6c1-cd154fba9ae4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time