MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
SHA3-384 hash: 9537b000c10d4fe3ee49d04f2885d6f638b32735732196f796212368c9ebb20a0dbe3fba8bd9e569c3b1807bada8cc4e
SHA1 hash: ee7f5e95ebca427b8b5baf712e7870a872d3f43f
MD5 hash: d34101f0d1a192f78c01dc6d21a06741
humanhash: hawaii-salami-blue-whiskey
File name:PO#252020.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:463'360 bytes
First seen:2020-09-25 05:52:46 UTC
Last seen:2020-09-26 02:12:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:mXpZ6txMYlJyR2/5KTB6ye9cOE0jsSbVAD8Ufl4b:4Gx8M/ZyCEUAD8Uflc
Threatray 2'209 similar samples on MalwareBazaar
TLSH C1A4CF145AE88F58E2BE5B78D4381C1487F3EA03D721EF9DFC9924B81B2AB91C911753
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65709/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.25098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/474708
Signature
Benign windows process drops PE files
Disables Windows Defender (via service or powershell)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 289803 Sample: PO#252020.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 48 www.reclaimthemap.com 2->48 50 reclaimthemap.com 2->50 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 10 other signatures 2->64 8 PO#252020.exe 1 7 2->8         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\qPkAIiP.exe, PE32 8->40 dropped 42 C:\Users\user\...\qPkAIiP.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpDF83.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\PO#252020.exe.log, ASCII 8->46 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->70 72 Tries to detect virtualization through RDTSC time measurements 8->72 74 Disables Windows Defender (via service or powershell) 8->74 76 Injects a PE file into a foreign processes 8->76 12 PO#252020.exe 8->12         started        15 powershell.exe 25 8->15         started        17 powershell.exe 22 8->17         started        19 14 other processes 8->19 signatures6 process7 signatures8 78 Modifies the context of a thread in another process (thread injection) 12->78 80 Maps a DLL or memory area into another process 12->80 82 Queues an APC in another process (thread injection) 12->82 21 explorer.exe 12->21 injected 26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        32 conhost.exe 19->32         started        34 conhost.exe 19->34         started        36 10 other processes 19->36 process9 dnsIp10 52 cottonflux.com 34.102.136.180, 49758, 80 GOOGLEUS United States 21->52 54 www.cottonflux.com 21->54 56 192.168.2.1 unknown unknown 21->56 38 C:\Users\user\AppData\...\_rpdbbd63duf.exe, PE32 21->38 dropped 66 System process connects to network (likely due to code injection or exploit) 21->66 68 Benign windows process drops PE files 21->68 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 03:18:42 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hepzmfkku7d5j5dbny3uni5fgnss6zcbt5yrzbiqzgpad75hrrqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
Formbook
209a9092f39d420c7a9a9af3c8bae1183639ceb8089b5f07eca30db7b66f9fc6
Formbook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75
Formbook
33500d82b580ebcc34521dd70217ba0cf976d4708f6d9d413388aae64317b43d
Formbook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
Formbook
6612e640d15ed26414fc5c288b9bb7050db90517febb11d4b5145fb8d84441b9
Formbook
7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7
Formbook
bf694824d6cbf6fba77ce087678b03ee8243a245b4b730eb55fb83e83b8dff8e
Formbook
cedead5dd0528f69da0617580afc0bcb6dd52eb05ad35dc2f24ec45179851e62
Formbook
+ 2'199 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook evasion
Link:
https://tria.ge/reports/200925-e8sm9jxj2j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Windows security modification
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Modifies Windows Defender Real-time Protection settings
Malware Config
C2 Extraction:
http://www.mscast03.info/cx0/
Unpacked files
SH256 hash:
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
MD5 hash:
d34101f0d1a192f78c01dc6d21a06741
SHA1 hash:
ee7f5e95ebca427b8b5baf712e7870a872d3f43f
Link:
https://www.unpac.me/results/a14fa285-e231-4124-9d90-de2fea8d5320/
SH256 hash:
da89c54ad4b9992a254931ae4458087b4ddd81538e9fe0a309bc43430288d9ea
MD5 hash:
0cb07e29d44f67bbd5f87f7a8022aa38
SHA1 hash:
166015224438e17f92582ebbffb23f6a4f986ffb
Link:
https://www.unpac.me/results/a14fa285-e231-4124-9d90-de2fea8d5320/
SH256 hash:
897aaf3b174bad80d67a5aa2c23b6ba133800334bb255bcf04024d1e0be5679b
MD5 hash:
05fd0dd170ffcad27adb1c92cbed8e10
SHA1 hash:
5339422cdac397050aa3c9f6786bff43f40860e3
Link:
https://www.unpac.me/results/a14fa285-e231-4124-9d90-de2fea8d5320/
SH256 hash:
785261875049471f6432827571071af39fdb06ec0a223224c12792201a9f66e5
MD5 hash:
e41b095949e16c551511c80acfc18ac2
SHA1 hash:
c1c9299481d8604297151f48ac8c790c9e920504
Link:
https://www.unpac.me/results/a14fa285-e231-4124-9d90-de2fea8d5320/
SH256 hash:
5b3187cab1bcfdc847b20d3d07c93da63725524dca746e9360bbfa6cf74170ba
MD5 hash:
06e0a11653b9c898b692417b69e0bd9c
SHA1 hash:
9c797257b1b38e71d0a13467c1647754bb70dcc7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a14fa285-e231-4124-9d90-de2fea8d5320/
Parent samples :
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9
25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 184cdc94d8c4e4949a004a69559f62e92572dcf066a866386069f93f92f4ff53

Formbook

Executable exe 391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61

(this sample)

  
Dropped by
MD5 8537e85b58a9e5402ea44dbb7af749e1
  
Dropped by
SHA256 184cdc94d8c4e4949a004a69559f62e92572dcf066a866386069f93f92f4ff53
  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65709/

Comments