MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ceaf0bcc42eb42fd5f0762a630d78d965c6d4188016f32429f2eb86330da7dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ceaf0bcc42eb42fd5f0762a630d78d965c6d4188016f32429f2eb86330da7dc
SHA3-384 hash: ae2bdc0e89f4e77f1103381b2d182580d2c87efa51cdaa7e91e6acede5e635011a4330c4d4b495df97082d5867525520
SHA1 hash: 5f0c6d3dd08e52371982062c7dffc935557ffcba
MD5 hash: 00c19cdfb4c0dd846227e8eae3b3931e
humanhash: xray-queen-cup-whiskey
File name:RFQ # 1014397402856.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:706'048 bytes
First seen:2021-04-04 08:24:03 UTC
Last seen:2021-04-04 12:57:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fIh2d+Kj8Vkc3r60Ya8MVWluqaHaZdhvgc3DS+7Dim:fo2U2xh0YhM0Yq3zhvd3DPZ
Threatray 4'442 similar samples on MalwareBazaar
TLSH B9E4E027294AEF51CB244D36A4B6C37937FBA1850B228F119ECC46EFBD25F0DE651026
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: iwhost8.axxesslocal.co.za
Sending IP: 197.242.150.169
From: A Kanjani <md@gtobacco.com>
Subject: RFQ # 1014/397-18/NA
Attachment: RFQ 1014397402856.pdf.rar (contains "RFQ # 1014397402856.pdf.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
330
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ # 1014397402856.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-04 08:25:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1457c0db-91a0-4557-9f15-658291e78965

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132079/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.22613.24328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f5e52d9e-1674-4442-8e98-2dd65ace9ec1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665537
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381696 Sample: RFQ # 1014397402856.pdf.exe Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 10 other signatures 2->41 10 RFQ # 1014397402856.pdf.exe 3 2->10         started        process3 signatures4 49 Injects a PE file into a foreign processes 10->49 13 RFQ # 1014397402856.pdf.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 27 www.ycmath.com 47.108.93.46, 49732, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 16->27 29 www.mybusinessdoor.com 16->29 31 3 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 wlanext.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 07:28:45 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftvpbpgef22c7vpqoyvggdly3fs4nvayqalpgjbj6lvymmynu7oa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ef4f3934342133702e07d176450b7304d5f85bc78652821356f9f046d5367b4
Formbook
125b3f2e9eef8a9a9ef6c677fd9a30af2f153284c727aa914329e77bfe2ac49d
Formbook
5455b443ff5876acc7f13248570814b58e402911e049c1c3c1b1f6b9ac28ca95
Formbook
6a4762f9c862a1ee20e00a7706f5b7dd6f12575513efdb09ea36adbec1ee202f
Formbook
7e0c1f10cfd225b16e83ecf7bc37a782441b8a96225fff827572bc3a81421bb9
Formbook
965df8ebef029defa94503159ecc0bb6d34368723093287b6b812983ed3fdd77
Formbook
b04fb6a2bc53196885c36c1de64a717a47bd0c450f2948999c368cf489e9ffb8
Formbook
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
Formbook
bb21e5cc104a482d8d806a79b75f20781bde73dfb3ac59d6cd58fed12e9757e5
Formbook
bde11e5f0bd0e97d5fec3572de59518b300d0a27602c25d9699d8fc030022cb1
Formbook
+ 4'432 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210404-9lnspvtya2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.supinapp.com/grv/
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/2897c7da-63ba-49cd-96e4-fd1d2b2adbbe/
SH256 hash:
2ceaf0bcc42eb42fd5f0762a630d78d965c6d4188016f32429f2eb86330da7dc
MD5 hash:
00c19cdfb4c0dd846227e8eae3b3931e
SHA1 hash:
5f0c6d3dd08e52371982062c7dffc935557ffcba
Link:
https://www.unpac.me/results/2897c7da-63ba-49cd-96e4-fd1d2b2adbbe/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar dada9e05330e6b6ff4d3ff68567caf21dafbb9057ea50a33626bec577a3c175d

Formbook

Executable exe 2ceaf0bcc42eb42fd5f0762a630d78d965c6d4188016f32429f2eb86330da7dc

(this sample)

  
Dropped by
MD5 868f8c2ddf977c0bbdfe7955452b51a8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dada9e05330e6b6ff4d3ff68567caf21dafbb9057ea50a33626bec577a3c175d
Cape
Cape
https://www.capesandbox.com/analysis/132079/

Comments