MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b
SHA3-384 hash: 19222a23a2a47e705e36d00f3cf326ab963c32253e883e83e9e1d4504fa573645217b8bc9d6de50d68cf0939b9c2fc9e
SHA1 hash: 014b3d89c5bc6983919008655fcd7d968b066785
MD5 hash: 1b79e28a23e249bf5c8670d37e207caf
humanhash: august-fanta-lemon-north
File name:ORDER SPECIFICATIONS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:890'368 bytes
First seen:2020-11-05 11:44:46 UTC
Last seen:2020-11-05 13:35:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 44b35562ed59f8261c188f2c511b9c99 (2 x Loki, 1 x MassLogger, 1 x HawkEye)
ssdeep 12288:RX11Nb/C9GnWRV5KhjgoRth0u5SBfSy4D0VttucMGaMJgrK8LX:n11YGWpqdhpAti0fIcdaMJ2
Threatray 2'829 similar samples on MalwareBazaar
TLSH 1C159F21E2A14833D373267C8C1B5664A92ABDD12DF47D466BE43C4BFF79282342529F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vm1532797.3ssd.had.wf
Sending IP: 45.14.12.161
From: Ajfer <eissa@jbq-sa.com>
Reply-To: rasti_znaltd@mail.com
Subject: November Products Order
Attachment: ORDER SPECIFICATIONS.gz (contains "ORDER SPECIFICATIONS.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83243/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521393
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309795 Sample: ORDER SPECIFICATIONS.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 34 www.alfexx2.website 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 6 other signatures 2->44 11 ORDER SPECIFICATIONS.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 14 ORDER SPECIFICATIONS.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.brevetti-ai.com 94.231.103.100, 49740, 80 ZITCOMDK Denmark 17->28 30 www.bkwashrepair.com 216.239.32.21, 49742, 80 GOOGLEUS United States 17->30 32 20 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 03:02:29 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gijtb6bxci57u4nv7osqxizyjddamddseqxhzp5dpga7h2buognq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
048a4bdb5c21a62e9028370b06b2804aaeb3b85b2446f5c47ff3fb3e7f676be8
Formbook
15c7df3fd38078bfe8814c09bc69279c91ae32fc7178912998b6eca91f4d82b8
Formbook
295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb
Formbook
4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
76b5083ce1a34c82e63cded85ecdf767f9d254e99a0d49174fbdd4a449857e41
Formbook
92625b5d11e691107b8aa2e733c1be9fe3677b5a86f03e08f239bf6e0d450885
Formbook
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
Formbook
da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f
Formbook
e0f3cc45f5f9d758b91fc99dbc5b838e8658fa28bad234825318e18d11806681
Formbook
+ 2'819 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201105-essxmwcj12/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.revitalizedmassages.com/nwrr/
Unpacked files
SH256 hash:
321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b
MD5 hash:
1b79e28a23e249bf5c8670d37e207caf
SHA1 hash:
014b3d89c5bc6983919008655fcd7d968b066785
Link:
https://www.unpac.me/results/692d0905-da83-41b3-9e24-07a649a14ae7/
SH256 hash:
7f2ad16d2ac4f09ae88ecf3689c05a6bbec177f1c67d3cf1df142e842a977e1a
MD5 hash:
515b7bfb497d4a517f17e46435761ada
SHA1 hash:
57e6492c9b4a7fc5565ad73fab3657da28cfc625
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/692d0905-da83-41b3-9e24-07a649a14ae7/
Parent samples :
321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b
53425ac47307e7d6e98deae06742bfebdade503bf6e48766a84ea52a3045f3a8
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

46c4f34b56d630af692356640f61edee

Formbook

Executable exe 321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b

(this sample)

  
Dropped by
MD5 46c4f34b56d630af692356640f61edee
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83243/

Comments