MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811
SHA3-384 hash: 522a3dc2a24af58f6bd88a801b6b64da7b6de63d6b9e94e80271f58bd7b0c92919c75a22e46791649de03aca3a6a9a7c
SHA1 hash: ee53af6e8315633f4be8552e31183cca47a298f6
MD5 hash: 7bc5aa156b65b600db5b75ee2e420126
humanhash: speaker-march-uranus-beer
File name:IRS Notice Letter.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'354'224 bytes
First seen:2020-12-22 15:49:20 UTC
Last seen:2020-12-22 17:39:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:W+MGP/M8RBn6PI9wdhPl4Uy8M/Y10pejZbZrzjkfT7k58HQFpnd4a4cYHTQjROzS:W+MXz
Threatray 3'238 similar samples on MalwareBazaar
TLSH DD555F02498168CBD7B3D090A34EC2D6B38795DCE7EA5FD4AE10E25532CC4B7EBA9D41
Reporter abuse_ch
Tags:exe FormBook IRS


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail.ozokgroup.com
Sending IP: 185.111.235.60
From: "IRS" <noreply@irs.gov>
Reply-To: noreply@irs.gov
Subject: IRS NOTICE LETTER TU
Attachment: IRS Notice Letter.zip (contains "IRS Notice Letter.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IRS Notice Letter.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 15:55:22 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b21d375a-b450-499b-a35d-d1978838c371

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108947/
Detection(s):
SecuriteInfo.com.Generic.mg.7bc5aa156b65b600.32103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568579
Signature
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333361 Sample: IRS Notice Letter.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 10 IRS Notice Letter.exe 3 2->10         started        process3 file4 31 C:\Users\user\...\IRS Notice Letter.exe.log, ASCII 10->31 dropped 61 Injects a PE file into a foreign processes 10->61 14 IRS Notice Letter.exe 10->14         started        17 IRS Notice Letter.exe 10->17         started        signatures5 process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 Queues an APC in another process (thread injection) 14->69 19 explorer.exe 14->19 injected process8 dnsIp9 33 edgehairandbeauty.com 192.254.235.48, 49765, 80 UNIFIEDLAYER-AS-1US United States 19->33 35 aizimov.com 153.126.209.136, 49764, 80 SAKURA-ASAKURAInternetIncJP Japan 19->35 37 21 other IPs or domains 19->37 53 System process connects to network (likely due to code injection or exploit) 19->53 23 netsh.exe 12 19->23         started        signatures10 process11 dnsIp12 39 www.changxunt.com 23->39 41 prob5068033.cname.hwcloudsite.cn 23->41 43 119.3.154.36, 80 HWCSNETHuaweiCloudServicedatacenterCN China 23->43 55 Modifies the context of a thread in another process (thread injection) 23->55 57 Maps a DLL or memory area into another process 23->57 59 Tries to detect virtualization through RDTSC time measurements 23->59 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 15:50:11 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzwj5rck5zkrrjt3uw235wsjmonhcxyzdo3xbgpm2v7de36a3aiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4
Formbook
42f1eae60298f6d5fba417912070ac64bb13c35d5f7d60fc207ebb14a6304219
Formbook
549de81621fd5e577a164009e14fe791e2099b1a985fe37739801fdf156800b8
Formbook
63cdf6732c057eee9626cae35b73e53dbc35b1c7231c573e8c672372074ac926
Formbook
9a176cf24fa09ec01bb6e51507849fa8aad355bb25eba73ce43f63579997633a
Formbook
a80553f1c2dcc35c48adf765bbb4f695d9d3c47d57ab0e47e4e8118588466731
Formbook
b2f4176efc7fb22a1958f63af6f3029b8d4fdbecb98625828822d471a6a137b4
Formbook
cf881c52980129f685da1dee4674018fa0fc1db346565dd917ae0160ce26b25d
Formbook
d0743e20f8ddf388b214bd59e11b36f000b423350c56c065133d533af64b4a00
Formbook
e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42
Formbook
+ 3'228 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201222-kt64h5vzen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.aizimov.com/09rb/
Unpacked files
SH256 hash:
0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811
MD5 hash:
7bc5aa156b65b600db5b75ee2e420126
SHA1 hash:
ee53af6e8315633f4be8552e31183cca47a298f6
Link:
https://www.unpac.me/results/4d552770-3fa1-4149-ba4e-18ffa9cf1d73/
SH256 hash:
9830d08f0c95dae2f9a20da4ddb94a46ed748a21419778189441784b81388f25
MD5 hash:
8525bc3e81bc6e506c5f8ffe91eb7a3d
SHA1 hash:
584deb2ac1209c9281c975ced06f9a34a077d1b2
Link:
https://www.unpac.me/results/4d552770-3fa1-4149-ba4e-18ffa9cf1d73/
SH256 hash:
967572c6c53412aa84b71e8fac079afa64436c5594de5a5142db140f0a171497
MD5 hash:
15d9f7ac7353a1c6fabb1596aad9e26e
SHA1 hash:
b9dfe635342c547eab59616d8be120e3bae9dd5a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4d552770-3fa1-4149-ba4e-18ffa9cf1d73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Potentially Unwanted Application
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 409508aff72ecc21f5f569466effe1db57078290206bf908ea48ffbe11063f40

Formbook

Executable exe 0e6c9ec44aee5518a67ba5b5beda49639a715f191bb77099ecd57e326fc0d811

(this sample)

  
Dropped by
MD5 12e3fc99b9f451c5215f80c78e34f41b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 409508aff72ecc21f5f569466effe1db57078290206bf908ea48ffbe11063f40
Cape
Cape
https://www.capesandbox.com/analysis/108947/

Comments