MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
SHA3-384 hash: 7b9690228abee5c50e13006b98daca7798c41a6b0cec878cef6a014ab84f9ede7e6d40381683d151c106b3f4ca70ea68
SHA1 hash: 8df1daf9fb7147fd61a1e18a5b1e5bfa7bbe94fa
MD5 hash: 8898f586289faf1cc074c328eb64e0c6
humanhash: cold-bulldog-delta-enemy
File name:3131_50SG0BK00T1,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'099'264 bytes
First seen:2021-01-19 07:21:40 UTC
Last seen:2021-01-19 09:21:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:CDlb2BV7YpgYUGwf98+Zvh8GcEzLXSgFL6OU:qbHgYUnf6+H8lEzWgF2l
Threatray 150 similar samples on MalwareBazaar
TLSH 1235AE0222887F58F27D5737C49884559BFAFC01E762CD2EBCD4399E59B2B91AA03317
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail4.welislinghung.com
Sending IP: 161.35.237.190
From: Vivien Kong <info@shearndelamore.com>
Subject: RE: price request: 3131-50SG0BK00T1
Attachment: 3131_50SG0BK00T1,pdf.iso (contains "3131_50SG0BK00T1,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3131_50SG0BK00T1,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 07:26:24 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/405b14b8-7e21-45e4-b1e5-2131e371dc51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112766/
Detection(s):
SecuriteInfo.com.Artemis8898F586289F.1071.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584554
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341313 Sample: 3131_50SG0BK00T1,pdf.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 40 www.andieweb.com 2->40 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 11 other signatures 2->54 11 3131_50SG0BK00T1,pdf.exe 7 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\jLhxUiIQnuLl.exe, PE32 11->32 dropped 34 C:\Users\...\jLhxUiIQnuLl.exe:Zone.Identifier, ASCII 11->34 dropped 36 C:\Users\user\AppData\Local\...\tmpABD7.tmp, XML 11->36 dropped 38 C:\Users\...\3131_50SG0BK00T1,pdf.exe.log, ASCII 11->38 dropped 14 MSBuild.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 2 other signatures 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 42 huadijc.com 102.134.56.224, 49758, 80 sun-asnSC South Africa 19->42 44 vayocart.com 45.80.183.115, 49751, 80 AS-HOSTINGERLT Germany 19->44 46 6 other IPs or domains 19->46 56 System process connects to network (likely due to code injection or exploit) 19->56 25 NETSTAT.EXE 19->25         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 25->58 60 Maps a DLL or memory area into another process 25->60 62 Tries to detect virtualization through RDTSC time measurements 25->62 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 04:47:14 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cncepvfef6qmnbyzuftaekyzokflhn3ruas7znaltya6wbdsxwfq._file
Verdict:
unknown
Similar samples:
14ee2894b546ba6d7835ee4dd8e07ef72fb10bfaebec8f1687da4559267cb72e
Formbook
5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079
Formbook
608d70c1cb35d04fa09469743651ee50e859d9ea016f7492bc53008de310deb7
Formbook
750292519a4b694e981556bdaec9c5b568ac54f1b9cb52fc1f740cd45b2748ec
Formbook
85dd5d9ef955400038cae7ac32f2931c3b6966792bbfd353f14627c2261f2d9c
Formbook
a12d62cf3071c705c6527b3a640f6dfa3f4823cf5289f8be7cba25ac14e79031
Formbook
a362c422dd9a2c24a7cc96dc14244742d24274b78da4b0a27157ac9e7c38b04a
Formbook
c1db0bc7089675799a66c321a0401a402b94e0d455037b0cbd76e54188de43c8
Formbook
ef93be06b93e89bc68dd92ca713f40e320a654c49a241a6884785acf964b8ba9
Formbook
ff8d39974554acf40538107995f0f6b000be41747ca6c34dae415df33596d5a3
Formbook
+ 140 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-pb8vlvq1mx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.radissonhotelsusa.com/cp5/
Unpacked files
SH256 hash:
5fb47a93e8f99354f497567e1f3e58ba78e76db73bd1415f2d7513ab89f29cb7
MD5 hash:
6f2f98ed322c76eba6ed310fee5c551e
SHA1 hash:
5ddc2d41bbcc90b734581178065b4784330a33c0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fb4c963c-d3f7-40e0-ae20-88ecc6139dcf/
Parent samples :
134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae
9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/fb4c963c-d3f7-40e0-ae20-88ecc6139dcf/
SH256 hash:
57e74f1e81e0bee767c0dea3a664fece723d49356a97bda2ab5eb43bb0ed0ebd
MD5 hash:
c302fe629f3d7496728f874de272c2f1
SHA1 hash:
0871f2080cf209e6879f47ed081bb5df098ee568
Link:
https://www.unpac.me/results/fb4c963c-d3f7-40e0-ae20-88ecc6139dcf/
SH256 hash:
134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b
MD5 hash:
8898f586289faf1cc074c328eb64e0c6
SHA1 hash:
8df1daf9fb7147fd61a1e18a5b1e5bfa7bbe94fa
Link:
https://www.unpac.me/results/fb4c963c-d3f7-40e0-ae20-88ecc6139dcf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 72ba6b7c871884f51bbbc34e52731b52bb800852b61540a06f34658752f12e6e

Formbook

Executable exe 134447d4a42fa0c68719a166022b19728ab3b771a025fcb40b9e01eb0472bd8b

(this sample)

  
Dropped by
MD5 982d639028c0de29504f0e6c1e00c723
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 72ba6b7c871884f51bbbc34e52731b52bb800852b61540a06f34658752f12e6e
Cape
Cape
https://www.capesandbox.com/analysis/112766/

Comments