MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e
SHA3-384 hash: 2ece92ad2b613459a40aeb6c0cfc8673aaef247851516be07f530dd25494bd3a8b830f08b05579f2ba0a1fa68f9aae56
SHA1 hash: 86ce6053aea4432409d394b65ee3f6a8c6fb1a40
MD5 hash: 7bb5e280fa7ba8cf2dfce650034339e0
humanhash: kentucky-georgia-diet-paris
File name:Export Invoices_&Packing List.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:697'344 bytes
First seen:2021-04-07 11:19:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aaRbDcM3Q3rOdeW++HhtUnNJ2WD+yOiyCyYP2Dm/KLs2P:DEZrOdv+Yh+NMyOvu26/isS
Threatray 16 similar samples on MalwareBazaar
TLSH 32E424611C740248FEDE5EB6061956E71AD2ECA32A61902FD3447F26C27239CFDDA2F4
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: leoni.com
Sending IP: 103.153.183.156
From: <info@leoni.com>
Subject: Re:1x20ft Container Shipment - Factory Stuffing on 10th April 2021 / Export Invoice & Packing list
Attachment: Export Invoices_Packing List.rar (contains "Export Invoices_&Packing List.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Export Invoices_&Packing List.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:28:41 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/cf7de1b1-34cf-4de5-a98a-c77259ab715a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132826/
Detection(s):
SecuriteInfo.com.Artemis7BB5E280FA7B.31071.32556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668609
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383237 Sample: Export Invoices_&Packing List.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 11 other signatures 2->59 10 Export Invoices_&Packing List.exe 3 2->10         started        process3 file4 39 C:\...xport Invoices_&Packing List.exe, PE32 10->39 dropped 41 Export Invoices_&P...exe:Zone.Identifier, ASCII 10->41 dropped 43 C:\...xport Invoices_&Packing List.exe.log, ASCII 10->43 dropped 73 Writes to foreign memory regions 10->73 75 Allocates memory in foreign processes 10->75 77 Injects a PE file into a foreign processes 10->77 14 Export Invoices_&Packing List.exe 10->14         started        17 Export Invoices_&Packing List.exe 10->17         started        19 Export Invoices_&Packing List.exe 10->19         started        signatures5 process6 signatures7 79 Modifies the context of a thread in another process (thread injection) 14->79 81 Maps a DLL or memory area into another process 14->81 83 Sample uses process hollowing technique 14->83 85 Queues an APC in another process (thread injection) 14->85 21 explorer.exe 14->21 injected process8 dnsIp9 47 rmcorredores.com 192.185.87.92, 49742, 49743, 49744 UNIFIEDLAYER-AS-1US United States 21->47 49 www.alhula.com 65.1.51.136, 49745, 49746, 49747 AMAZON-02US United States 21->49 51 2 other IPs or domains 21->51 61 System process connects to network (likely due to code injection or exploit) 21->61 63 Uses ipconfig to lookup or modify the Windows network settings 21->63 25 ipconfig.exe 18 21->25         started        signatures10 process11 file12 35 C:\Users\user\AppData\...\-N4logrv.ini, data 25->35 dropped 37 C:\Users\user\AppData\...\-N4logri.ini, data 25->37 dropped 65 Detected FormBook malware 25->65 67 Tries to steal Mail credentials (via file access) 25->67 69 Tries to harvest and steal browser information (history, passwords, etc) 25->69 71 3 other signatures 25->71 29 cmd.exe 2 25->29         started        signatures13 process14 file15 45 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->45 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 29->87 33 conhost.exe 29->33         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 07:06:26 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekgtxdpkfpkhz6mnng4jwwwn7i5bijpcaeqxraxnze66ol7a4n7a._file
Verdict:
malicious
Similar samples:
002ec09931d23f0e66d86eda11ce72113d3e29a1cd0bd296b83ee567981610d8
Formbook
0998d46172fe00c092cfcaa5326aa5354cda095e2dce37ac16b437cc147b6298
Formbook
1fc2f42421eac041e7bd6ef1fb9a691a4658e26cfa22c22a96d0f5babec06c62
Formbook
244a1abc92912383268d141128a0eafcdf2b4b2a57b9e0490169b8f233c9671a
Formbook
3d13bbe7750e38414ba19fd51fe8a253d791edb6a923af31fe5d56ae17af0eec
Formbook
41e272c62e16b458816dd05ca01a7178d861ed61b6265ff87f6d04cdd1a50a4f
Formbook
7cece5ca77b93ef7c41219923e3c080c99bffcca2141cde0acc72dc17daa6211
Formbook
9254faf90ebf9e32ea3f024c10a212c03d7c2bef3169bd0710b3e45e7d18e03f
Formbook
a717b5d3af3173ce9958a23f95269e2d8ccd8979445626342c32b398d4f08f8a
Formbook
cc7babf79c2b0aab09b6d17e93d7ecb0f01bbfcd66dc9f7f6246680ce5e5630a
Formbook
+ 6 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210407-wmplwkzbls/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.consultoramulticars.com/suod/
Unpacked files
SH256 hash:
afe84d5c8dc2b7f41be5a4bf0608ac911153aed604a090ee695998e2ecb1675e
MD5 hash:
68b6344cad37c021525608433ea09fa6
SHA1 hash:
32415ab9e9b559df6092069c729f7da446d4f264
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bc742b8e-641b-4a96-831d-2978da5547a8/
Parent samples :
228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e
d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
SH256 hash:
0032bcc918ec59f80bd26d0dabf2c0d39ea1465a4196c244e13acf010ed3f24c
MD5 hash:
d1cd5961675d42bcd6733bf22036beb3
SHA1 hash:
bfacb98318b21996c775bc84399e1ceafc6f8748
Link:
https://www.unpac.me/results/bc742b8e-641b-4a96-831d-2978da5547a8/
SH256 hash:
72ebfe27f2e7a4131f98a1eb38b9a7331de1f424a5e3073464dbb7bc8c6334e4
MD5 hash:
a123101bd517ecc6b1555e8fa60b1de9
SHA1 hash:
1504de13775de42681e03297d45a3cc52974f55f
Link:
https://www.unpac.me/results/bc742b8e-641b-4a96-831d-2978da5547a8/
SH256 hash:
228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e
MD5 hash:
7bb5e280fa7ba8cf2dfce650034339e0
SHA1 hash:
86ce6053aea4432409d394b65ee3f6a8c6fb1a40
Link:
https://www.unpac.me/results/bc742b8e-641b-4a96-831d-2978da5547a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 1cf4a440f09eb870ac2eee86adbc4d74044d1be260d379ccd4fce3b8e0e3df6a

Formbook

Executable exe 228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e

(this sample)

  
Dropped by
MD5 26beece36b944dac9fb86d072048fe45
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132826/
  
Dropped by
SHA256 1cf4a440f09eb870ac2eee86adbc4d74044d1be260d379ccd4fce3b8e0e3df6a

Comments