MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a
SHA3-384 hash: 6c337f3e1e4705a693055b49fe08b7f348e740c6cdb7936e716fe13c38eba0f665fd63d3652d1dba66c9959507279cce
SHA1 hash: 5c3f4365352976d13fb53ec1f02162ca201fecb9
MD5 hash: 5787610a8b95269c467fb4507c6633bd
humanhash: saturn-lactose-solar-earth
File name:New Order DWG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:33'280 bytes
First seen:2021-07-12 13:01:48 UTC
Last seen:2021-07-12 13:56:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:Vc5QjzMpQA4fOwT/Wqpx9gXSFnWqnGs8GHY54zwyjTof8XJ+K+OvlEa9juybs1gI:VJROwiqeDqGs8F54bKylS/om
Threatray 220 similar samples on MalwareBazaar
TLSH T1ABE2940277F82B66D7F89BF52A2255100BF9799E55B3E21C4CCB60CA6672F404E90F27
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order DWG.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 13:07:34 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/38961356-c89a-4fab-91a9-f9bce039c24f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171100/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.34390.4473.13143.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb5d65b4-646f-4f2d-8b8c-8e533b49f7ab
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814858
Signature
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447283 Sample: New Order DWG.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 5 other signatures 2->72 9 New Order DWG.exe 3 2->9         started        13 New Order DWG.exe 15 4 2->13         started        process3 dnsIp4 50 C:\Users\user\...50ew Order DWG.exe.log, ASCII 9->50 dropped 82 Injects a PE file into a foreign processes 9->82 16 New Order DWG.exe 9->16         started        52 103.167.92.242, 49715, 49727, 49740 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 13->52 19 cmd.exe 1 13->19         started        21 cmd.exe 3 13->21         started        file5 signatures6 process7 file8 54 Modifies the context of a thread in another process (thread injection) 16->54 56 Maps a DLL or memory area into another process 16->56 58 Sample uses process hollowing technique 16->58 60 Queues an APC in another process (thread injection) 16->60 24 explorer.exe 16->24 injected 62 Suspicious powershell command line found 19->62 26 powershell.exe 19 19->26         started        28 wscript.exe 19->28         started        30 conhost.exe 19->30         started        32 timeout.exe 1 19->32         started        46 C:\Users\user\AppData\...46ew Order DWG.exe, PE32 21->46 dropped 48 C:\...48ew Order DWG.exe:Zone.Identifier, ASCII 21->48 dropped 64 Drops PE files to the startup folder 21->64 34 conhost.exe 21->34         started        signatures9 process10 process11 36 chkdsk.exe 24->36         started        39 systray.exe 24->39         started        41 New Order DWG.exe 2 26->41         started        signatures12 74 Modifies the context of a thread in another process (thread injection) 36->74 76 Maps a DLL or memory area into another process 36->76 78 Tries to detect virtualization through RDTSC time measurements 36->78 80 Injects a PE file into a foreign processes 41->80 43 New Order DWG.exe 41->43         started        process13 signatures14 84 Modifies the context of a thread in another process (thread injection) 43->84 86 Maps a DLL or memory area into another process 43->86 88 Sample uses process hollowing technique 43->88
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-11 20:01:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dotiugn6vdgdjuiulyymh3ozfcslxq2xtdytyee34idow64kzcna._file
Verdict:
unknown
Similar samples:
19d4050d0e2cfb28e62d91052123b50ead9c4c84501accb05e523c9593960245
Formbook
26451cc21c9b45f518c361ce5c7db51016fc19cd8aca7c2886e26e768eb10a81
Formbook
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
Formbook
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
Formbook
6f56e2921121d8013895cf883d382c22103da8cee4f057169b822b7a1615d4ed
Formbook
71f5a0e02cfd97625bfaf4c5e48825b8b08262a7ac89f1b7f8ae82c1200205f8
Formbook
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
Formbook
8e3c9001f9377d8c55aabd93e84e71e5b0eaa73bf783e880ef70476b442348b7
Formbook
af39da9af98c382d3a779807cfcf7d127e395661d3718089693cd810f60119aa
Formbook
f4fd51e6e0684d722cfacceb9a3abb8e4c449e96dce19b1f8b47fc8b09abf9df
Formbook
+ 210 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210712-14ny1ywgme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.rolandgabriel.com/bdqg/
Unpacked files
SH256 hash:
1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a
MD5 hash:
5787610a8b95269c467fb4507c6633bd
SHA1 hash:
5c3f4365352976d13fb53ec1f02162ca201fecb9
Link:
https://www.unpac.me/results/55d7a10d-5d93-4f4d-ab3c-e6abff541558/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/1ba68a19bea8cc34d1145e30c3edd928a4bbc35798f13c109be206eb7b8ac89a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/171100/

Comments