MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006a5bbcb444a8dd12526ca1fd0f35ea210e66dc74deb1bc9fd35a06e4aa1eb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 006a5bbcb444a8dd12526ca1fd0f35ea210e66dc74deb1bc9fd35a06e4aa1eb8
SHA3-384 hash: fc3b275355447f2dcf7579b89ba0b125f88fcfb06f1f881475d5c8d518a0a7b45d9575fd6e6599da9cbe1117d73440cc
SHA1 hash: 4bf9e846e1127963f5dee5856d3511b673040ded
MD5 hash: cf97bf358fe77d65c898fafd025472ca
humanhash: arizona-nuts-delta-wisconsin
File name:SrmqBXsgO6LSdTV.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'012'736 bytes
First seen:2020-11-06 07:35:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:yHyw6dsa/7tbMBypswlIfqAJEhFb+B+Il4485kAwCsf:yHyJ5oyeJEhFyoIl44CkA5w
Threatray 2'874 similar samples on MalwareBazaar
TLSH A425AEF66272D66EC40F04FFF8CB25618399DF1D58FC804AB2F5B11912B86C951AC78A
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic304-23.consmr.mail.gq1.yahoo.com
Sending IP: 98.137.68.204
From: Ali joy <joyali124@yahoo.com.sg>
Subject: FW: Payment Transfer
Attachment: UNBEN095.rar (contains "SrmqBXsgO6LSdTV.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/522135
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310166 Sample: SrmqBXsgO6LSdTV.exe Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 8 other signatures 2->50 10 SrmqBXsgO6LSdTV.exe 6 2->10         started        process3 file4 32 C:\Users\user\AppData\...\YlWlajyXYGJIr.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmpC6C2.tmp, XML 10->34 dropped 36 C:\Users\user\...\SrmqBXsgO6LSdTV.exe.log, ASCII 10->36 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Injects a PE file into a foreign processes 10->62 14 SrmqBXsgO6LSdTV.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.jaaweb.xyz 104.18.35.140, 49739, 80 CLOUDFLARENETUS United States 19->38 40 www.bbxacompass.com 199.59.242.153, 49738, 80 BODIS-NJUS United States 19->40 42 2 other IPs or domains 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 explorer.exe 19->25         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/006a5bbcb444a8dd12526ca1fd0f35ea210e66dc74deb1bc9fd35a06e4aa1eb8/
Threat name:
ByteCode-MSIL.Trojan.BlackDrop
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 03:32:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abvfxpfuisun2essnsq72dzv5iqq4zw4otpldpe72nnanzfkd24a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16f1274d2435181f2fb7ab3ba9fe1f7e9755e9cc449de481bd5ec636b6f32d52
Formbook
51874d1c039e563df3c8f2603fb84827126a826b1ad37c54035b3a12e3bd4ff6
Formbook
8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382
Formbook
9b42273e757d2cd6b0861aa1a06f32f4f8e6882deaa65167e0068c38845b0cd2
Formbook
acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
Formbook
b505171cca5c5eefe4dd6e6ce852dd380cfc08effeef51ed1219741f2910b873
Formbook
bcba47ff7460e3a03098516dcc1af9369b8fcc302fefaa07c57024830f57e93c
Formbook
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Formbook
e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
Formbook
e1cfca7448e28054c1e1ef3ca5ea11921d46f85c75729310d6d4f01c955a607e
Formbook
+ 2'864 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201106-b563g88g82/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ephone.design/k8b/
Unpacked files
SH256 hash:
006a5bbcb444a8dd12526ca1fd0f35ea210e66dc74deb1bc9fd35a06e4aa1eb8
MD5 hash:
cf97bf358fe77d65c898fafd025472ca
SHA1 hash:
4bf9e846e1127963f5dee5856d3511b673040ded
Link:
https://www.unpac.me/results/af55b170-cbfe-445d-afbe-2461da68056d/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/af55b170-cbfe-445d-afbe-2461da68056d/
SH256 hash:
795004ad9c072952d127ac1b2ce3c1cad5129981f811f522b783d82c6a8f8dce
MD5 hash:
c24d39405d29c12711bc25307a229d81
SHA1 hash:
22be77f55f2cb24cd11ad2ee2523f7db2fb88824
Link:
https://www.unpac.me/results/af55b170-cbfe-445d-afbe-2461da68056d/
SH256 hash:
2553d304c16d2de7d788b7118c7c804762d41a91bae2e8980852eabe3be819e8
MD5 hash:
210641499190d6cb1d1eeb138d8467da
SHA1 hash:
28f0faf6fc3c21b3e5e68ff3913a6615ee5a4b5c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/af55b170-cbfe-445d-afbe-2461da68056d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b235864c5128c3e19445c4e5045bca7205465c795fad5ef610af1870e5d34087

Formbook

Executable exe 006a5bbcb444a8dd12526ca1fd0f35ea210e66dc74deb1bc9fd35a06e4aa1eb8

(this sample)

  
Dropped by
MD5 4e2d0a078339d79e63b4e8b3911c76ca
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b235864c5128c3e19445c4e5045bca7205465c795fad5ef610af1870e5d34087

Comments