MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
SHA3-384 hash: ede02b8fe1bb763b9a0e4707b3d32d364b7771d2d5aeca07e49d33c62e0a2a7c8cb1eac9e70a3e5255ae25a13aba8c94
SHA1 hash: 4b2a2605e9db96e5a179a9b173c3f0f879570192
MD5 hash: fdb984b7b8ee5c77865fad6921e610bb
humanhash: eleven-gee-nevada-pip
File name:Purchase Order_NO189.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:592'552 bytes
First seen:2021-04-07 05:52:14 UTC
Last seen:2021-04-07 14:21:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QJeRim58iliwOgDkeM2wxDyOiyCyYP2Dm/KLJ/fWAx:d5l0dgDH5wxDyOvu26/iJX3x
Threatray 152 similar samples on MalwareBazaar
TLSH B2C412164F4B0E0BC95E097A43FFCA38E7B0FA1870636B12DDB5B22986B76C534412E5
Reporter abuse_ch
Tags:FormBook scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail0.givexports.com
Sending IP: 143.198.194.55
From: Seema Rodrigues <sales@givexports.com>
Subject: RE: SOA - March 2021
Attachment: Purchase Order_NO189.zip (contains "Purchase Order_NO189.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order_NO189.scr
Verdict:
Suspicious activity
Analysis date:
2021-04-07 06:37:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06950084-7d9e-49dc-937f-62a90f903bee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132739/
Detection(s):
SecuriteInfo.com.ArtemisFDB984B7B8EE.15325.16645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Sending a UDP request
Creating a file
Reading critical registry keys
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668250
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Costura Assembly Loader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383058 Sample: Purchase Order_NO189.scr Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 32 taker1.xyz 2->32 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 12 other signatures 2->48 8 Purchase Order_NO189.exe 4 2->8         started        signatures3 process4 file5 24 C:\Users\user\...\Purchase Order_NO189.exe, PE32 8->24 dropped 26 Purchase Order_NO189.exe:Zone.Identifier, ASCII 8->26 dropped 28 C:\Users\...\Purchase Order_NO189.exe.log, ASCII 8->28 dropped 30 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->30 dropped 50 Writes to foreign memory regions 8->50 52 Injects a PE file into a foreign processes 8->52 12 Purchase Order_NO189.exe 54 8->12         started        16 AdvancedRun.exe 1 8->16         started        18 AdvancedRun.exe 1 8->18         started        signatures6 process7 dnsIp8 34 taker1.xyz 12->34 36 104.21.23.61, 49755, 49763, 49764 CLOUDFLARENETUS United States 12->36 38 taker1.xyz 172.67.209.115, 49748, 49749, 49756 CLOUDFLARENETUS United States 12->38 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->54 56 Tries to steal Mail credentials (via file access) 12->56 58 Tries to harvest and steal ftp login credentials 12->58 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 40 192.168.2.1 unknown unknown 16->40 20 AdvancedRun.exe 16->20         started        22 AdvancedRun.exe 18->22         started        signatures9 62 Performs DNS queries to domains with low reputation 34->62 process10
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 05:53:09 UTC
AV detection:
8 of 48 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3f2ebzb7kkdfzhea63c7ak7ck3p52bawwzuqvdroxbwuj2mp4la._file
Verdict:
malicious
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
Formbook
1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
Formbook
1a2beaadeb5f9bc79af30c8a9e458bff69d4b481b305451afe68d0f1a9074da1
Formbook
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
Formbook
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
Formbook
4dde8ce9768e8239201fd508ec359f26c1703ebcdf4147c5503b303bacecd727
Formbook
5932fcc4c5d01a0d7667dfe1e6d10dd8c540b2ac57623c8c4b99dfdcd43cd63e
Formbook
68a091c7eeb321aeb2734ae205bda995bc71c48338200d42ed334a7e0a34f495
Formbook
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
Formbook
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
Formbook
+ 142 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210407-jf14egbnd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Lokibot
Malware Config
C2 Extraction:
http://taker1.xyz/V1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d8ee4df4f188374f37e5f292b0bab0049dfd26356333ce592976963d4520685d
MD5 hash:
2ba1f8bb272a3f930535af8a7465a6db
SHA1 hash:
e1abc09b2576b9da4cc6f7bd603903130fe71165
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/47b9fe4b-8e4e-459e-8e49-8b165a690ab2/
SH256 hash:
c25e1c1f23e334946e4c8538df7eb1e3a3da3d90f04538901637dcfcfbd16f68
MD5 hash:
4ba4d3284bcacf073bffc82385e09a17
SHA1 hash:
a679109adf3d7ed3e29c8607203fc384d2d8bf9f
Link:
https://www.unpac.me/results/47b9fe4b-8e4e-459e-8e49-8b165a690ab2/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/47b9fe4b-8e4e-459e-8e49-8b165a690ab2/
SH256 hash:
72ebfe27f2e7a4131f98a1eb38b9a7331de1f424a5e3073464dbb7bc8c6334e4
MD5 hash:
a123101bd517ecc6b1555e8fa60b1de9
SHA1 hash:
1504de13775de42681e03297d45a3cc52974f55f
Link:
https://www.unpac.me/results/47b9fe4b-8e4e-459e-8e49-8b165a690ab2/
SH256 hash:
2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
MD5 hash:
fdb984b7b8ee5c77865fad6921e610bb
SHA1 hash:
4b2a2605e9db96e5a179a9b173c3f0f879570192
Link:
https://www.unpac.me/results/47b9fe4b-8e4e-459e-8e49-8b165a690ab2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 34fc11a2129f1c6edeb812563e636682646bfb50e120f6570acb5c21b0bc6439

Formbook

Executable exe 2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16

(this sample)

  
Dropped by
MD5 5cf36bfbebffe287ffce646459ee90f0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132739/
  
Dropped by
SHA256 34fc11a2129f1c6edeb812563e636682646bfb50e120f6570acb5c21b0bc6439

Comments