MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23cb1d198cca93539a5bdbf18ce44ae3692be0ae968b5fe55e3794ec481aa1cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23cb1d198cca93539a5bdbf18ce44ae3692be0ae968b5fe55e3794ec481aa1cf
SHA3-384 hash: 969771313752c5f63b1cccf97fec0b7917e5c8f94d930bb9f70aa3757bd14ce59b2407990bce0aab75d5febc1acc6b17
SHA1 hash: 320bdd9abcc530b49b2fdcd83b201f71340e38d7
MD5 hash: 8fd39baa587c25915cf5dbb45205137a
humanhash: jig-colorado-papa-crazy
File name:ORDER SPECIFITIONS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:711'168 bytes
First seen:2020-11-18 06:34:54 UTC
Last seen:2020-11-27 10:16:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:0IvFWMmxXA9NK32djGMyp6SVAwKNEl5G85Ktxu92qJ9QxnycQ:HENw23+cpzVONEXB5oa2q/WW
Threatray 3'007 similar samples on MalwareBazaar
TLSH 94E4E0356679AF52E0BD873BC4A12820A3F4EC428223D52FBDE4F4D95AA4FEC5170947
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
37
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.jc.28977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/540428
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319316 Sample: ORDER SPECIFITIONS.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 33 www.meatslasvegas.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 11 ORDER SPECIFITIONS.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\ORDER SPECIFITIONS.exe.log, ASCII 11->31 dropped 57 Injects a PE file into a foreign processes 11->57 15 ORDER SPECIFITIONS.exe 11->15         started        18 ORDER SPECIFITIONS.exe 11->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 20 explorer.exe 15->20 injected process9 dnsIp10 35 shops.myshopify.com 23.227.38.64, 49755, 80 CLOUDFLARENETUS Canada 20->35 37 punebites.com 81.19.215.15, 49749, 80 BANDWIDTH-ASGB United Kingdom 20->37 39 4 other IPs or domains 20->39 49 System process connects to network (likely due to code injection or exploit) 20->49 24 cscript.exe 20->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23cb1d198cca93539a5bdbf18ce44ae3692be0ae968b5fe55e3794ec481aa1cf/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 00:41:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epfr2gmmzkjvhgs33pyyzzck4nusxyfos2fv7zk6g6koysa2uhhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16a4855bceb4df02e0478cd72972a6e7f144f2278fedb239c2cb696cf6bf7199
Formbook
2693356eb785b39160f0dd89c916020ab5ae032faaa931b30c393e93da2740e4
Formbook
598bcdbe4c3e21a17a48d44dc03640f90643d1a03549ec429c7f96fd48e6a7ea
Formbook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
Formbook
6c38cd22154fec33d60c57f97e3a4d09d481f30422c2d0b1a6a65ea65639dd69
Formbook
82ec33dd4f26eab172d8a0fc536751d12153a3f7175351da311a7059217c670e
Formbook
914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f
Formbook
b1b8f6dcd1c8d12e5a79a8d16dd62d0900d552ba435178b691f4497d338cc704
Formbook
bdad93534a202f7d3c2f102dc39093fa12a32f5de82c76a5fb41a94e1748d99e
Formbook
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
Formbook
+ 2'997 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201118-znl7vcskes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.firedoom.com/sbmh/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip d8e69bb18a777adf6e3f6ced4b48d0cad6bc54e419351225a9d292827371413a

Formbook

Executable exe 23cb1d198cca93539a5bdbf18ce44ae3692be0ae968b5fe55e3794ec481aa1cf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d8e69bb18a777adf6e3f6ced4b48d0cad6bc54e419351225a9d292827371413a

Comments