MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640
SHA3-384 hash: 6cb90e83fdb11ca6a9daa81363f762b9aa174becdf1d8b90309ce672f19da2e121648b02136b37f051d65db04c41e594
SHA1 hash: e735a591c50fc903d6ab930fb19385776d78f8f0
MD5 hash: b4ab4dbdd1ca0497fa5a7dbd46689a73
humanhash: lake-quebec-football-fix
File name:Payment _Arabian Parts Co BSC©.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:890'880 bytes
First seen:2021-01-22 13:12:25 UTC
Last seen:2021-01-22 17:07:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:z+mgYUGwr09fUt09fUiLOzBME9KQ1BI51:RgYUnGfU8fUiLOzSE9rBA
Threatray 5'450 similar samples on MalwareBazaar
TLSH FF15CE13F6DC96DFD6785774D37042F293B2AC138631EA8ABDD034AC19B368D89162C6
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment _Arabian Parts Co BSC©.exe
Verdict:
Malicious activity
Analysis date:
2021-01-22 13:14:20 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/3a002b5e-b331-47e6-9cc5-2e646e4a0623

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114582/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42809.11211.17707.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Launching cmd.exe command interpreter
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/588314
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343183 Sample: Payment _Arabian Parts Co B... Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 32 www.identifiant-espacepostale.info 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 11 Payment _Arabian Parts Co BSC#U00a9.exe 12 2->11         started        signatures3 process4 file5 30 Payment _Arabian P...o BSC#U00a9.exe.log, ASCII 11->30 dropped 58 Injects a PE file into a foreign processes 11->58 15 Payment _Arabian Parts Co BSC#U00a9.exe 11->15         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 15->60 62 Maps a DLL or memory area into another process 15->62 64 Sample uses process hollowing technique 15->64 66 Queues an APC in another process (thread injection) 15->66 18 explorer.exe 15->18 injected process9 dnsIp10 34 ucisqmx.com 102.134.56.216, 49776, 80 sun-asnSC South Africa 18->34 36 www.mingjiuhb.com 156.241.53.159, 49770, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->36 38 21 other IPs or domains 18->38 50 System process connects to network (likely due to code injection or exploit) 18->50 22 chkdsk.exe 12 18->22         started        signatures11 process12 dnsIp13 40 www.mbwvyksnk.icu 22->40 52 Modifies the context of a thread in another process (thread injection) 22->52 54 Maps a DLL or memory area into another process 22->54 56 Tries to detect virtualization through RDTSC time measurements 22->56 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 10:17:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ex2jkojhozias3rdf4gt4elyrvyjtuf3p4r6q7lpzwcs4m4ewzaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d876129c69f0f4be0c87aeb20cdc38ae8f5db29bea6f87807946b89e0b61a50
Formbook
373978ea9f4ae282536f4991ffac268b5597b69c399633ca9e2f97b8dbd01c6f
Formbook
4c2ffa57352cd1e3b76fdf01f581046245fe70427377823464857ad32189dcba
Formbook
6c595ae0af40886a5d0e907120894e72fadef005a527230b5c28a3e2767789f1
Formbook
79a5735a233925fa0fbbae9a0d38411de1d697dd5bbed65970c94bdf2be1a16a
Formbook
7d47ed47853921d8afd5b66c6305421eb80b582d6e47706602d52ee367496cc1
Formbook
a7df5fff3eb06082036dd6634fa7c5022c48ae5438e5cff66bc500906c16597e
Formbook
b95d2327a21e9c59261df7296f490ad524393475c00458e90567be63db226935
Formbook
c41c3e04f58d643f5d30f52077a53a8c151d835aa44da144b9165a0297314f14
Formbook
c73732f1e8d7aff13f1c0ef733d9d4734ad81b12f27b414f0412204eb3373c71
Formbook
+ 5'440 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader evasion loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210122-j42e4zbdga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.smithsreddogranch.com/oge8/
Unpacked files
SH256 hash:
656316841174df62d9e2b1aa0cd6023671e7dc3acb9e9d3c32379847dbd857e3
MD5 hash:
2ec1f817eb5e680712e7bbba91ab8bfa
SHA1 hash:
66555f6060fa1e125fa9e0d195434c634ce74827
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d30cef41-6c10-45c1-9602-2a9ff20cad00/
Parent samples :
25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640
a5d296940aa22ec9c8d591baa8aad491e9b1880c4585da46de772ebe9209b6d0
SH256 hash:
2e686d7516ffbf1d04fb732f69aa4a6e0465483dd79af4a9b41ad641e16f6185
MD5 hash:
60304f8ed476a14a11628b1c3f67c63d
SHA1 hash:
99dda5847306bf3479f59d5bf549d7b47d4bf37b
Link:
https://www.unpac.me/results/d30cef41-6c10-45c1-9602-2a9ff20cad00/
SH256 hash:
eec52286e4c4e995ab12c5b65582ea7db257483d75f306e120744af8a95d0f53
MD5 hash:
7df56888554bfba84e51e4448b6548f7
SHA1 hash:
79100e03e88e00122c2180fc9e73733339a94587
Link:
https://www.unpac.me/results/d30cef41-6c10-45c1-9602-2a9ff20cad00/
SH256 hash:
25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640
MD5 hash:
b4ab4dbdd1ca0497fa5a7dbd46689a73
SHA1 hash:
e735a591c50fc903d6ab930fb19385776d78f8f0
Link:
https://www.unpac.me/results/d30cef41-6c10-45c1-9602-2a9ff20cad00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip affb428ae41c24757d2f1b9f0a1d539fcdd36638c2c99ee6dec1eb36eecbf86f

Formbook

Executable exe 25f49539277650096e232f0d3e11788d7099d0bb7f23e87d6fcd852e3384b640

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 affb428ae41c24757d2f1b9f0a1d539fcdd36638c2c99ee6dec1eb36eecbf86f
Cape
Cape
https://www.capesandbox.com/analysis/114582/

Comments