MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0674ab6b81671be1eb9a4944f50ca24141a0034fa4d58b420e47506371db191b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0674ab6b81671be1eb9a4944f50ca24141a0034fa4d58b420e47506371db191b
SHA3-384 hash: 3512c76d97dc9f1d3ffe8edbe7a570837bf0b3b5e8374ba831082213561bd98e92c98147900c363f3c4aeda09e790c35
SHA1 hash: f606474769da4255ea95c0aa4e78f5206246d865
MD5 hash: b6e80f2e175ac7fbcda8f578a69bd620
humanhash: pennsylvania-iowa-beryllium-spring
File name:Shipping Document PL&BL Draft01.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:679'936 bytes
First seen:2021-01-18 18:31:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f85ebb67bac58f72de974a91d40889a (5 x Formbook, 3 x RemcosRAT, 2 x AgentTesla)
ssdeep 12288:d8WvAMYGY5RFNBeU7vgTOzhdCeuckakZR5z+EDCf6RddWWP+qAt:d8W4T17vgKzhuKICf6ryrt
Threatray 3'507 similar samples on MalwareBazaar
TLSH A6E48D116840C039E0722D325AA9D6B2146EAC303F55798F6FD83E767F379C1B62962F
Reporter abuse_ch
Tags:exe FormBook TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloudhost-2060988.uk-south-2.nxcli.net
Sending IP: 165.84.218.167
From: TNT Express INC <service@tnt.com>
Subject: Consignment Notification: You Have A Package With Us
Attachment: Shipping Document PLBL Draft01.img (contains "Shipping Document PL&BL Draft01.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipping Document PL&BL Draft01.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 18:55:21 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/97774216-0272-4ee1-a618-036e20eb3149

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112664/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584213
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341146 Sample: Shipping Document PL&BL Dra... Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 4 other signatures 2->41 10 Shipping Document PL&BL Draft01.exe 2->10         started        process3 signatures4 49 Maps a DLL or memory area into another process 10->49 13 Shipping Document PL&BL Draft01.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 27 www.hrbjczsfs.com 156.255.141.201, 49746, 49760, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 16->27 29 www.covicio.com 91.195.240.94, 49745, 49748, 49759 SEDO-ASDE Germany 16->29 31 19 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 msdt.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0674ab6b81671be1eb9a4944f50ca24141a0034fa4d58b420e47506371db191b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 09:37:17 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=az2kw24bm4n6d242jfcpkdfcifa2aa2putkywqqoi5igg4o3denq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
040e512b75bacd0ed6e0e13efa13f6ea92ebd47c214112b5371425009909c842
Formbook
148007b32a311769a958c3f87c6c836b14457f17dbe6a9a0188b0f68b3c30b40
Formbook
196b4470cd98c4f6d5c634170a1c6a98cf59b61c9b12a032ec9fb776b74a0527
Formbook
444e72d12e85dffc1b247b29e7789022b251237f56ea83bf72e3c09fcb628874
Formbook
58b012a7c77564704af9bc88d272f1aa68c6789c84a146d0f566304c370bc89a
Formbook
5b895b1fe7b66a92588a06eba17a83022da0b539dd9c2eaafbf6082a656f7b57
Formbook
6ac9238d32f2a7b7315cdb2755e090aa53431a71d613e188209b02105e3b8af9
Formbook
82327e5e44156cddbd2dd77556fc746dad24eeaedc11733c82729c7d0c10a1e7
Formbook
bcba31709cecf79a6996bda8b48a9e891db6de827c852404634a96d248560ba3
Formbook
e7091e7da366f0b1d4acbc1295841c6f7d1ab9412a9fe3fd9341c9d94274c457
Formbook
+ 3'497 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210118-bf7gbgtypn/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.elevatedenterprizes.com/h3qo/
Unpacked files
SH256 hash:
0674ab6b81671be1eb9a4944f50ca24141a0034fa4d58b420e47506371db191b
MD5 hash:
b6e80f2e175ac7fbcda8f578a69bd620
SHA1 hash:
f606474769da4255ea95c0aa4e78f5206246d865
Link:
https://www.unpac.me/results/1282973e-8746-4f0e-9805-a3cbd3de2f30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0674ab6b81671be1eb9a4944f50ca24141a0034fa4d58b420e47506371db191b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 8d7c2479a6ff7b6d6196efefc6c9d4425245077896802829b37fe37198c1d7e1

Formbook

Executable exe 0674ab6b81671be1eb9a4944f50ca24141a0034fa4d58b420e47506371db191b

(this sample)

  
Dropped by
MD5 d601edcd44f4841a5b205b392875f356
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112664/
  
Dropped by
SHA256 8d7c2479a6ff7b6d6196efefc6c9d4425245077896802829b37fe37198c1d7e1

Comments