MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb
SHA3-384 hash: cc393cce215207ac7d35450122efb7ee92d178a0709d0d500cfc977478d486cd98228f9812ddd09a380b115b2bc6f454
SHA1 hash: f9829d21aaa77699e343c5d3663e91a3f193ef2c
MD5 hash: 5a701f7f34d8198f49fdfb7dc7e88c19
humanhash: yankee-edward-east-uncle
File name:DA-PROFORMA-BCC-211370-1-1289009-doc.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:222'049 bytes
First seen:2021-03-31 06:58:42 UTC
Last seen:2021-03-31 09:50:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:PAPICphQqR3qpfERh3KZgJvwYieVkxbvIX5:uphQE3qxqc4VIbvY
Threatray 4'423 similar samples on MalwareBazaar
TLSH D724124CA2F4C4B7E5A5147035F18338FBB6E31732506B5B6B785F1C75182EAD82928E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: da-desk.com
Sending IP: 103.99.1.146
From: DA-Desk FZ-LLC Mail System <bccs@da-desk.com>
Reply-To: DA-Desk FZ-LLC Mail System <bccs@da-desk.com>
Subject: Appointment acceptance receipt confirmation for DA-PROFORMA - BCC-211370-1, 1289009
Attachment: DA-PROFORMA-BCC-211370-1-1289009-doc.arj (contains "DA-PROFORMA-BCC-211370-1-1289009-doc.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DA-PROFORMA-BCC-211370-1-1289009-doc.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 08:20:31 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1639903b-76c9-4f4a-9497-3e22a53efead

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129167/
Detection(s):
SecuriteInfo.com.Variant.Jaik.44831.21729.4634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660022
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 02:45:50 UTC
AV detection:
6 of 48 (12.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxs4nomguzabxicjbtgopdul6es5sycna7ck3b5ik2syr4flu3fq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04df6344497e9d1c321f32b61df87db549d179c6c66c3bf0b2cc7f6b1510040d
Formbook
31de85bffebf15b904ab8046680be20058efb7a2a411ec79c694194082a93e3b
Formbook
3c5cf190ba17e8138feadf46a81dbdafff69ecd8b9122aaf4967fbd9aa79c1f6
Formbook
5101663e1850401504dd1e56231725be9a3001ed01e99fa88d348b9511c52f4d
Formbook
6c8d9b097832fec5088306fabfeb26cf5aa0c67153134f4c5e356cee935f871e
Formbook
6da50c6b31b4125631987f40d7bd3dacab22c961ca9ba60dfdfa45120d5ec17a
Formbook
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
Formbook
8d96cdba8c8ac7896773c03f0ab27a5cebe912d9cc6614fda1e149191fc6a7c7
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2
Formbook
+ 4'413 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210331-hl3kdpnps6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.cheristolentino.com/uwec/
Unpacked files
SH256 hash:
054c710630c80195e64f533bb31f0cbe7a38c4dd22a88af50e6a26f955e85d45
MD5 hash:
35b0a892a71305408d04eeac1869ee53
SHA1 hash:
e17926cfd0e474a900d40e7599c09ea50047d779
Link:
https://www.unpac.me/results/bde7e03b-7850-4098-8a7a-459e52daaa72/
SH256 hash:
1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb
MD5 hash:
5a701f7f34d8198f49fdfb7dc7e88c19
SHA1 hash:
f9829d21aaa77699e343c5d3663e91a3f193ef2c
Link:
https://www.unpac.me/results/bde7e03b-7850-4098-8a7a-459e52daaa72/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1b472f10e007ff12dd477da58de8b555a4bbb5c758d7e98361328ca48cb2a208

Formbook

Executable exe 1de5c6b986a6401ba0490ccce78e8bf125d9604d07c4ad87a856a588f0aba6cb

(this sample)

  
Dropped by
MD5 b3a992e5e3d68a4d737e04836555cb69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129167/
  
Dropped by
SHA256 1b472f10e007ff12dd477da58de8b555a4bbb5c758d7e98361328ca48cb2a208

Comments