MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133
SHA3-384 hash: 1767e4f0b96af9d070bbcad3385cba4372a39d626027a387eeeafbd6620aa559c03bb07b59669f6d7698001fa64e000e
SHA1 hash: 968d4d600dd00579f6594e3b1eff98b46b422893
MD5 hash: 9d8635210670e8b332120a969dfa269e
humanhash: beryllium-lemon-ohio-cat
File name:Purchase_order_397484658464974945648447564845.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:639'488 bytes
First seen:2021-02-23 07:20:01 UTC
Last seen:2021-02-23 08:45:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:2ATB+CjnoFug/a0qfvoC4eTzyOgW1MSpjCPzGcMrIVq/0qPmDbaT5lBWuDrRZAX:2qADSfbdTzcGVJVKq/Tm3iT0UrcX
Threatray 3'882 similar samples on MalwareBazaar
TLSH E2D449D8799420B7E5878EB5425B6768F0F132B3AFB3145984244EC1E5603D1FE0EAEB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns4.leaseweb.net
Sending IP: 213.227.149.147
From: Shamsul Haque <tenstens@hanmail.net>
Subject: Order
Attachment: Purchase_order_397484658464974945648447564845.rar (contains "Purchase_order_397484658464974945648447564845.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118493/
Detection(s):
SecuriteInfo.com.Trojan.Heur.DNP.Nm0@a40MtVhi.28419.13933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Creating a process with a hidden window
Running batch commands
Sending a UDP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Blocking the User Account Control
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615037
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356528 Sample: Purchase_order_397484658464... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->31 33 7 other signatures 2->33 7 Purchase_order_397484658464974945648447564845.exe 17 3 2->7         started        process3 dnsIp4 25 coroloboxorozor.com 104.21.71.230, 49711, 80 CLOUDFLARENETUS United States 7->25 35 Adds a directory exclusion to Windows Defender 7->35 37 Tries to detect virtualization through RDTSC time measurements 7->37 39 Hides threads from debuggers 7->39 41 2 other signatures 7->41 11 cmd.exe 1 7->11         started        13 powershell.exe 25 7->13         started        15 WerFault.exe 23 9 7->15         started        17 Purchase_order_397484658464974945648447564845.exe 7->17         started        signatures5 process6 process7 19 conhost.exe 11->19         started        21 timeout.exe 1 11->21         started        23 conhost.exe 13->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-23 07:20:16 UTC
AV detection:
15 of 47 (31.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=amphfnc5m3btmw76hr5m4pcmfj47vt72rwvhwsb4o42qu6i4aezq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1432f0240c91b7439722df807e35ef9b4cc9b126f3e5d42cedb27b28751118d7
Formbook
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
2bec4da3283f4d9329b155c12e5ee6f5f8943bb43d9e66c1767b877b89a19063
Formbook
5babb878615fbf3b56008f4d7becccdb0a316e3eecb95ce99ea2a6c9d5a8a19a
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
e5ff1fccc213b922956415d980bbbf9318b17834761d629b23448ab14868812e
Formbook
+ 3'872 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader evasion loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210223-nr9na2y9sn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Windows security modification
Xloader Payload
Formbook
UAC bypass
Windows security bypass
Xloader
Malware Config
C2 Extraction:
http://www.aubonmarcheduparc.com/rina/
Unpacked files
SH256 hash:
031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133
MD5 hash:
9d8635210670e8b332120a969dfa269e
SHA1 hash:
968d4d600dd00579f6594e3b1eff98b46b422893
Link:
https://www.unpac.me/results/0353f426-1488-4a0c-a050-e724db80ee38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 8839b2e808d191a532ba2564a8095da01adba100d69005e8ad8c09b094a9d46e

Formbook

Executable exe 031e72b45d66c3365bfe3c7ace3c4c2a79facffa8daa7b483c77350a791c0133

(this sample)

  
Dropped by
MD5 fb1f8d6a5ca17be7c90f3b183918d951
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118493/
  
Dropped by
SHA256 8839b2e808d191a532ba2564a8095da01adba100d69005e8ad8c09b094a9d46e

Comments