MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ad3891aeb09b03c1197267642a1dfbbab7ee5cfd61a426db27e3b7c7445fa35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ad3891aeb09b03c1197267642a1dfbbab7ee5cfd61a426db27e3b7c7445fa35
SHA3-384 hash: da051e0354c957dbbd3f9e9f2df34e212edd4acfbe1341fe8ea004d417f2fe8bccfb56b54eb8e9f69912cd0220cca5f8
SHA1 hash: e38accedb4706dbdd38fb152efadf107f621cc36
MD5 hash: 193b95fd6c89fdd4af095cbc0afdbc19
humanhash: alpha-fruit-burger-lake
File name:INQUIRY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:653'824 bytes
First seen:2020-11-19 08:07:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:eQmYu2I6DRmEuQNolgXerr4TpEuiP5+5kvg3wUQJnUZMxrhm0rF9noR:62IeFhysEZ4mUWxrlrF
Threatray 2'996 similar samples on MalwareBazaar
TLSH A0D4AF453144B8DFD40399B28CBF9C3061643DAE422BC60F2143BA6B95FE353695BB9B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.nc-hunicorn.com
Sending IP: 45.85.90.117
From: Allie Angel <AAngel@storetekeng.com>
Reply-To: Allie Angel <office@nc-hunicorn.com>
Subject: New Order
Attachment: INQUIRY.zip (contains "INQUIRY.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis193B95FD6C89.10948.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542456
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320324 Sample: INQUIRY.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 31 www.miss-fox.com 2->31 33 www.jinyang-medicine.com 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AntiVM_3 2->45 47 3 other signatures 2->47 11 INQUIRY.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\INQUIRY.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 INQUIRY.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.ejc0.com 45.39.88.85, 49765, 80 EGIHOSTINGUS United States 18->35 37 www.loadedmaza.com 154.219.198.139, 49766, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 18->37 39 www.linehomeimprovement.com 104.27.152.230, 49769, 80 CLOUDFLARENETUS United States 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ad3891aeb09b03c1197267642a1dfbbab7ee5cfd61a426db27e3b7c7445fa35/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 07:03:52 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fljysgxlbgydyemxez3efio7xovx5zop2ynee3nspy5xy5cf7i2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d6b4c596e189a78ffd872bffe908aaf27f74f6c36dddfd50b517f9155c0938b
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
4c6f0e3d4adfc52b7507b9439e9176afe4b0345a8c89b9300aad2cf396908bc9
Formbook
4e712f5df51bc5970b962b170cfde7a6cd20622ac67164a6f2101655a8a7d7f3
Formbook
718d659864d771ebadf82d8b5461d39c2bd6bd514ea2d2273d2821a23ab28ed0
Formbook
9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9
Formbook
bbb95e154a42908b2bbb1797d8b6178343b7c084158183f628b5c4bf3fe5ac7d
Formbook
d86a036697fc43fa7041bd5e298ff785adcf44c78057f3c1c9db8fa9f694ce64
Formbook
e232dc56a916d659961271caf129b47c5fa561f71ecff17f6c96801cd7b50820
Formbook
e8383b3c3d533f13eb4b642b48d587cddaf187f0d1719e829f5e4cf5eea24969
Formbook
+ 2'986 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201119-nt6el4ygd2/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bingzuclub.com/p0q/
Unpacked files
SH256 hash:
2ad3891aeb09b03c1197267642a1dfbbab7ee5cfd61a426db27e3b7c7445fa35
MD5 hash:
193b95fd6c89fdd4af095cbc0afdbc19
SHA1 hash:
e38accedb4706dbdd38fb152efadf107f621cc36
Link:
https://www.unpac.me/results/3059781b-c9b8-4e5b-b87e-22624fe3d075/
SH256 hash:
0dc40b47f31be7574ae6be4ae66809cd79785be8b4d50ad11c487c71fbaa2fea
MD5 hash:
c8d56873d6260510a38e3a5eae372adb
SHA1 hash:
0bbba5777399146f2b241c54fcfd34a02b259b24
Link:
https://www.unpac.me/results/3059781b-c9b8-4e5b-b87e-22624fe3d075/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/3059781b-c9b8-4e5b-b87e-22624fe3d075/
SH256 hash:
2a995200813fd46a14746828a55c5975a8112070f12887021c8ddcc772d5fb24
MD5 hash:
8ee0df787051c47146addb3116d9c620
SHA1 hash:
4bae3776a6093965eca7cfbecf9613b80df0661c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3059781b-c9b8-4e5b-b87e-22624fe3d075/
Parent samples :
2ad3891aeb09b03c1197267642a1dfbbab7ee5cfd61a426db27e3b7c7445fa35
da37b9b8890fa84de87323c1599d96ca8aab10238d9d98bdb72853f2d445780f
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip e8e5f5e61e9fb0a9388df59d736188ea1f6ecdc50cd7b573fad240f63004fa00

Formbook

Executable exe 2ad3891aeb09b03c1197267642a1dfbbab7ee5cfd61a426db27e3b7c7445fa35

(this sample)

  
Dropped by
MD5 2116e024dbeca2d83f5edfe2872f8611
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e8e5f5e61e9fb0a9388df59d736188ea1f6ecdc50cd7b573fad240f63004fa00

Comments