MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648
SHA3-384 hash:	5066bfb0a19f90dd4c32b0a5f8b792e433c2a73ba39938052625690913ab372634336674ebb8e15cec2e49cad4690cf9
SHA1 hash:	a866ef4760a021ddfcfdd842f904d3bcba6f528b
MD5 hash:	d1b1eef61f69d2b769d2b7dcb1acf155
humanhash:	fanta-video-saturn-queen
File name:	New Purchase Order 501,689$.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	795'648 bytes
First seen:	2020-10-14 16:21:25 UTC
Last seen:	2020-10-14 17:01:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:p2CsWqJ5UPqte+7/5OynqIHHc1ZS12IKfqK61hoGhwf8pwFJlgadL6KjVKjwlixj:p2DW+Us/hFHHEZS1lMCoEw0pwFJ
Threatray	2'454 similar samples on MalwareBazaar
TLSH	AB057CBD3252B5AEC667CD36CA641C60A6203C6B531BC207E01335AD9A1DB97DF246F3
Reporter	abuse_ch
Tags:	exe FormBook Yahoo

abuse_ch

Malspam distributing Formbook:

HELO: sonic303-25.consmr.mail.gq1.yahoo.com
Sending IP: 98.137.64.206
From: sophia.docarbide@aol.com
Reply-To: sophia.docarbide@aol.com
Subject: Re: Purchase Order Details
Attachment: New Purchase Order 501,689.rar (contains "New Purchase Order 501,689$.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70934/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42621.30675.31710.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a file

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/491448

Signature

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2020-10-14 00:56:09 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=egwgwndg74jru5ooue2lvxotoqjpu453lodjpkwxnjyzgrvbizea._file

Verdict:

malicious

Label(s):

formbook

Formbook

23958a583d62bf343e2641dd871d6d788c99649a722fe1908fea9e72e78d17b7

Formbook

27c9bdfa6cc8c9343b507ee1df148482028afcabda152e356feabd28ecd67eb5

Formbook

31a90420f266f02ae50a6a3603ea81461fa26baae094e00448aadc569c8f7dad

Formbook

557e3c6a577287caee9f2224e8ef8455d4501f7d99c4ae818dd4d8aa268ed495

Formbook

7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b

Formbook

7d7edb74ec4a4b30b75d0337169be83d230a384ba2bb9597c626aaeadbef8048

Formbook

9528c2cff0a659892959e295c2a7e9661a9dcee51bc2e3015e73b4d25b37f135

Formbook

c5a3dbe60ff325c179eaccd5731fac2bf328022dca3c42ad847108dadf54481b

Formbook

da625c254e8607b0fdcde2ec95e4ecfd1822cfe736d3d9d48c5795e928fb6b7f

Formbook

+ 2'444 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201014-xpp9ynq21s/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Uses the VBS compiler for execution

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.touchtoby.xyz/eao/

Unpacked files

SH256 hash:

21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648

MD5 hash:

d1b1eef61f69d2b769d2b7dcb1acf155

SHA1 hash:

a866ef4760a021ddfcfdd842f904d3bcba6f528b

Link:

https://www.unpac.me/results/13b23986-13b5-450e-a893-e750b95f2dde/

SH256 hash:

b95c7ee724b9af780a21ff9ef4a514d4638f4151c5269c48267f45901aa165eb

MD5 hash:

d92a968633affc48734d50c6ea21f78b

SHA1 hash:

06826fc985184b2f41d67abcd2dd2d6941551dd4

Link:

https://www.unpac.me/results/13b23986-13b5-450e-a893-e750b95f2dde/

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/13b23986-13b5-450e-a893-e750b95f2dde/

SH256 hash:

efd0f2abc20fb62394f63208f97c501d0feb625b3e69fa6e177d9dd0d3c7a4c8

MD5 hash:

0ce63e59a69c42e59a610c2d774f852e

SHA1 hash:

0f001b240d96471f0ccac3ce1369122476370163

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/13b23986-13b5-450e-a893-e750b95f2dde/

Parent samples :

9528c2cff0a659892959e295c2a7e9661a9dcee51bc2e3015e73b4d25b37f135
215d70c6d51b2b66a89f0c3a6ea7f5ccf2801b57dd1709b2ff935b518ce40ca2
7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b
c5a3dbe60ff325c179eaccd5731fac2bf328022dca3c42ad847108dadf54481b
557e3c6a577287caee9f2224e8ef8455d4501f7d99c4ae818dd4d8aa268ed495
da625c254e8607b0fdcde2ec95e4ecfd1822cfe736d3d9d48c5795e928fb6b7f
27c9bdfa6cc8c9343b507ee1df148482028afcabda152e356feabd28ecd67eb5
31a90420f266f02ae50a6a3603ea81461fa26baae094e00448aadc569c8f7dad
21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648
95cf775c4ff8b1fbaa88f99cf6148cfae8116b5258169dc1bf0dbae42a60f1f1
1aa1c6c264025cc567e70f6ca867a0c6618bd2eb2ec3312730c68a41c0d7e076
a5101910da7817c72ebc45da2ee45900f306a86edc039c9072f6c1e890da6628
d5600a0e6b9fcb8482f7ebd1fedf3f814fbabbbec89773ad612da18385fb5a3b

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 9d97c42b147296636462546b20bda26a99b541c74018894e66bc73efdb07cc77

Formbook

exe 21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648

(this sample)

Dropped by

MD5 7077a2e8b8c89063c877064feea5b1b7

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/70934/

Dropped by

SHA256 9d97c42b147296636462546b20bda26a99b541c74018894e66bc73efdb07cc77

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample