MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
SHA3-384 hash: db25a483992524fdb9c08940c1bfa8739e2a0922a6c1f710afc15559a5329b5f6c1878d1811374873a3e3b0f3a3761dd
SHA1 hash: 6e70f2b79d7a2db3078636acef019470767a5edf
MD5 hash: 92ce59db9a10fa135250802f6716e899
humanhash: beryllium-winner-queen-grey
File name:offer order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'639'949 bytes
First seen:2020-10-17 12:09:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:GAHnh+eWsN3skA4RV1Hom2KXMmHajW9ZVrGZnNMOwpPkD3C6Hes5hyiCWR:hh+ZkldoPK8YaabVrGZnyOSkzhrCa
Threatray 826 similar samples on MalwareBazaar
TLSH 3E75BF026755E1AFFE9663724E13EA006179A8A48522771EB3DC1EFCE87C47D323E251
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: citdev.mx
Sending IP: 74.208.175.156
From: Корнеева Ирина <zakaz@mzsa.ru>
Subject: Доставка 20.10.20
Attachment: 10-17-2020_06-59-10-PM.zip (contains "offer order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ramnit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72551/
Detection(s):
Win.Trojan.Ramnit-1849
Create hunting rule

Win.Trojan.Ramnit-1847
Create hunting rule

Win.Virus.Ramnit-9775603-0
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494443
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299672 Sample: offer order.exe Startdate: 17/10/2020 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 13 other signatures 2->86 10 offer order.exe 5 2->10         started        14 wscript.exe 1 2->14         started        process3 file4 52 C:\Users\user\...\igfxCUIService.exe, PE32 10->52 dropped 54 C:\Users\user\Desktop\offer ordermgr.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\...\lpremove.url, MS 10->56 dropped 112 Maps a DLL or memory area into another process 10->112 16 offer order.exe 10->16         started        19 offer ordermgr.exe 10->19         started        21 igfxCUIService.exe 1 14->21         started        signatures5 process6 file7 66 Modifies the context of a thread in another process (thread injection) 16->66 68 Maps a DLL or memory area into another process 16->68 70 Sample uses process hollowing technique 16->70 72 Queues an APC in another process (thread injection) 16->72 24 explorer.exe 16->24 injected 28 WerFault.exe 23 9 19->28         started        50 C:\Users\user\...\igfxCUIServicemgr.exe, PE32 21->50 dropped 74 Antivirus detection for dropped file 21->74 76 Multi AV Scanner detection for dropped file 21->76 78 Tries to detect virtualization through RDTSC time measurements 21->78 30 igfxCUIServicemgr.exe 21->30         started        32 igfxCUIService.exe 21->32         started        signatures8 process9 dnsIp10 58 belviderewrestling.com 162.241.219.11, 49752, 80 UNIFIEDLAYER-AS-1US United States 24->58 60 www.belviderewrestling.com 24->60 62 www.allworljob.com 24->62 98 System process connects to network (likely due to code injection or exploit) 24->98 34 wlanext.exe 1 16 24->34         started        38 ipconfig.exe 24->38         started        64 192.168.2.1 unknown unknown 28->64 100 Antivirus detection for dropped file 30->100 102 Multi AV Scanner detection for dropped file 30->102 104 Machine Learning detection for dropped file 30->104 40 WerFault.exe 19 9 30->40         started        106 Modifies the context of a thread in another process (thread injection) 32->106 108 Maps a DLL or memory area into another process 32->108 110 Sample uses process hollowing technique 32->110 signatures11 process12 file13 48 C:\Users\user\AppData\...\95Nlogri.ini, data 34->48 dropped 88 Detected FormBook malware 34->88 90 Tries to steal Mail credentials (via file access) 34->90 92 Tries to harvest and steal browser information (history, passwords, etc) 34->92 96 2 other signatures 34->96 42 cmd.exe 1 34->42         started        44 cmd.exe 34->44         started        94 Tries to detect virtualization through RDTSC time measurements 38->94 signatures14 process15 process16 46 conhost.exe 42->46         started       
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09/
Threat name:
Win32.Worm.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 11:48:21 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=flxwdeh35qtbagksbqxgambe5mfl62hk6jdawpwxya6bi5kolieq._file
Verdict:
malicious
Similar samples:
182b0c57f42b1dce3fd1f38350494d60c8e5bf94bb0aa11bd8136c358b404e9d
Formbook
199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
Formbook
2227b37cf09c00c9644439638915a6b8b835ffd04ec2fba0de5450dc85d5e20e
Formbook
2f05200e09f38d2197fb48d265bcd4d050131f688ce51cf86478192df100d675
Formbook
33afd44ca2f375189b68c6ab3f410d45ae1547e20ae04ed5e4e3b36978fdba49
Formbook
342c79ff62a16ad618c837f19efa7362a7f06403b5eb405ca667048d90344945
Formbook
b08f164f0363528f8928f01133da533a2868e12b95177df09b2f11e78510e02d
Formbook
cfd13da57bb620ec32a6ad174d4d4cac2c715af8e7aaa57931574152f5fffdd9
Formbook
d410461b6a41d5193c3920f152e2a263944ca330c11f3d306bc266281b93ce78
Formbook
e08e0f0228a8e08b8330c46c01f7b185513be82682b41d031e86591d195f2e56
Formbook
+ 816 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
upx rat persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/201017-smp2fd2w7x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/n7ak/
Unpacked files
SH256 hash:
b79abc999d8b105b7b6bf7438c61a23e0cdbf5dc47ae88b609e278575f831627
MD5 hash:
85f162b97e62876c00b660567b9fc76b
SHA1 hash:
01301f63c895dd1d3caef46e405f8b259b1efb9d
Detections:
win_ramnit_g0
Create hunting rule
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/a819328d-c932-4e1d-ad39-a1644c83a385/
Parent samples :
d410461b6a41d5193c3920f152e2a263944ca330c11f3d306bc266281b93ce78
e08e0f0228a8e08b8330c46c01f7b185513be82682b41d031e86591d195f2e56
2f05200e09f38d2197fb48d265bcd4d050131f688ce51cf86478192df100d675
199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
33afd44ca2f375189b68c6ab3f410d45ae1547e20ae04ed5e4e3b36978fdba49
2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
337463b61d271e4826a1c570e565fe58f42548247b20c9cc8d52e7342943606e
2d5f86c5aea887418198a76538412499bbc1d000f633de6d613f32c82c7c5073
52c970b575040b26c6c357f1aa64288544578a229b9be70acd0f860f55cca346
75a0a12b779dc49dee1cb4e27eb6362bae2bbde60c9754b12aed27d7f0b6d129
270ea6a72a4f9ab032ce73bd2ba9e9a207929f0d4041e2cb298a650d4d2062ed
ba33ab723fdac923f508eed7114aba2a370c6b7ecd3639dc588cd8fc0c865f34
SH256 hash:
04a1fe8e3d0f1112cd274b75559fea78fa9e873efb719001bd5480c4582799d0
MD5 hash:
fea9741cf5cb761ff4133120ded2176d
SHA1 hash:
25be4965f45af627f7477a45349e53b8d48a3509
Detections:
win_ramnit_g0
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/a819328d-c932-4e1d-ad39-a1644c83a385/
Parent samples :
d410461b6a41d5193c3920f152e2a263944ca330c11f3d306bc266281b93ce78
e08e0f0228a8e08b8330c46c01f7b185513be82682b41d031e86591d195f2e56
2f05200e09f38d2197fb48d265bcd4d050131f688ce51cf86478192df100d675
199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
33afd44ca2f375189b68c6ab3f410d45ae1547e20ae04ed5e4e3b36978fdba49
2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
337463b61d271e4826a1c570e565fe58f42548247b20c9cc8d52e7342943606e
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
4f0790556072df8347f13be4fe3068c743b7a7f0dcefa155b434d8c408ec8d35
b1e7478ebc4b374feb2964da15149281da610a4e5773b890b7c9cabb4469c29f
2d5f86c5aea887418198a76538412499bbc1d000f633de6d613f32c82c7c5073
52c970b575040b26c6c357f1aa64288544578a229b9be70acd0f860f55cca346
70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca
06f7c12171e1608547eb5ae2d39af72835519fdf56aaaeb1dcc6be853dac22a9
75a0a12b779dc49dee1cb4e27eb6362bae2bbde60c9754b12aed27d7f0b6d129
270ea6a72a4f9ab032ce73bd2ba9e9a207929f0d4041e2cb298a650d4d2062ed
ba33ab723fdac923f508eed7114aba2a370c6b7ecd3639dc588cd8fc0c865f34
SH256 hash:
ffc9384268e7b83bce58e3e86e3b19f9689552679026bb2cfb9951bc3b40f07b
MD5 hash:
4469d96da242213b46e390c215df3d60
SHA1 hash:
699f475b95dae504cc902762b9c0f7315616c895
Detections:
win_ramnit_g0
Create hunting rule
win_ramnit_g1
Create hunting rule
win_ramnit_auto
Create hunting rule
Link:
https://www.unpac.me/results/a819328d-c932-4e1d-ad39-a1644c83a385/
Parent samples :
d410461b6a41d5193c3920f152e2a263944ca330c11f3d306bc266281b93ce78
e08e0f0228a8e08b8330c46c01f7b185513be82682b41d031e86591d195f2e56
2f05200e09f38d2197fb48d265bcd4d050131f688ce51cf86478192df100d675
199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
33afd44ca2f375189b68c6ab3f410d45ae1547e20ae04ed5e4e3b36978fdba49
2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
337463b61d271e4826a1c570e565fe58f42548247b20c9cc8d52e7342943606e
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
4f0790556072df8347f13be4fe3068c743b7a7f0dcefa155b434d8c408ec8d35
b1e7478ebc4b374feb2964da15149281da610a4e5773b890b7c9cabb4469c29f
2d5f86c5aea887418198a76538412499bbc1d000f633de6d613f32c82c7c5073
52c970b575040b26c6c357f1aa64288544578a229b9be70acd0f860f55cca346
70f62aa60264ce150e290264a190270ec0a66c84452981ea4cbee8d2a427acca
06f7c12171e1608547eb5ae2d39af72835519fdf56aaaeb1dcc6be853dac22a9
75a0a12b779dc49dee1cb4e27eb6362bae2bbde60c9754b12aed27d7f0b6d129
270ea6a72a4f9ab032ce73bd2ba9e9a207929f0d4041e2cb298a650d4d2062ed
ba33ab723fdac923f508eed7114aba2a370c6b7ecd3639dc588cd8fc0c865f34
SH256 hash:
2e774712cc111cd4eb3a59b5a6f58fa2be9080813ed316f75bf99cdc66f60692
MD5 hash:
0fbea7227adab7d43daa5c3d1645bb1d
SHA1 hash:
536b3c19db69d59f55b55e2b79760b7c5fcced6b
Link:
https://www.unpac.me/results/a819328d-c932-4e1d-ad39-a1644c83a385/
SH256 hash:
2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
MD5 hash:
92ce59db9a10fa135250802f6716e899
SHA1 hash:
6e70f2b79d7a2db3078636acef019470767a5edf
Link:
https://www.unpac.me/results/a819328d-c932-4e1d-ad39-a1644c83a385/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 53bb3aff8246b56bbdf1dcae822745334973509d397e30a61f54ad45d6e3d95b

Formbook

Executable exe 2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09

(this sample)

  
Dropped by
MD5 60cb31774e71b9ca02573a3b92409dc5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53bb3aff8246b56bbdf1dcae822745334973509d397e30a61f54ad45d6e3d95b
Cape
Cape
https://www.capesandbox.com/analysis/72551/

Comments