MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55
SHA3-384 hash: 219ecd09f7ecf24cb99c936993ad08f913682e374d8a9a762388a9276e1dcb19c02296c912df9980cee07904e0bc7492
SHA1 hash: 794cfe5811a6f63c1ded6ee000a0de205c371cc7
MD5 hash: 4687a0e5dcb5891f896668b095de22c6
humanhash: earth-tango-utah-yankee
File name:NOA_-_CMACGM_-_Notice_of_Arrival_-_CMA_CGM_TANY__-_0MD1YE1MA_8506343238904000.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'152'000 bytes
First seen:2021-04-26 06:02:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:WIcDCGGzCVLKu4V89RoFJnaDbt9ByKwZG6Fbp5vc6ozjnOeX6nKAZgDpaSO3nMJB:+t7PrsJnaVOK0G6tpXrB9zztzzK
Threatray 4'883 similar samples on MalwareBazaar
TLSH E4358EA6D348EDDDE01B7835487C842140B3FD8AD966D76EBC4935A494F338236ABD0B
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NOA_-_CMACGM_-_Notice_of_Arrival_-_CMA_CGM_TANY__-_0MD1YE1MA_8506343238904000.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-26 06:10:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8cdba658-74f8-4c4a-8f16-63fcfc934256

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144201/
Detection(s):
SecuriteInfo.com.Variant.Strictor.256611.19662.556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697350
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 03:49:33 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfixcjqpv7ueavnyjnok4to5dvek4tcjbcegp3l2jzmn4i4uvrkq._file
Verdict:
malicious
Similar samples:
0cfcc28cdab9675c1a09f88af826490e0e35e4292d7eedf174f9dac055d8085d
Formbook
3ed517e03182938065c9a5d0c3e97bfc763d36e6b34b9d41472e08549a9a3108
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
5d5d38241fa7a6b854b75c5a73944b6ee1cbe4a8a2865897d9c36b10158c90be
Formbook
6cd6c9e9634dd601a9826bf8a8f1ef736e9215e19643eea904d7b7c939a8fa48
Formbook
78f83f782f8d2077dd50d65badb4ed36ec24c029241287f76560e60733b61c29
Formbook
850ba9cb8e16d04b40e1499ea65f614d760af29ed7f0892f99e10c88e1f80c68
Formbook
e836c2aecd7a2ae83a5bb088780d9e7b8cd6c3a7ff6b9c3f1261bfd1f53dbef7
Formbook
ef77a8918ed19e4c73ba620ee2fba77e1058d8b132768ef034dc10322d560aa0
Formbook
f130539b2d2324246449abb99f5a0effb214feee629b092d48ac63aca14e2ba6
Formbook
+ 4'873 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/210426-1rn8abmxan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.evolvekitchendesign.com/ffw/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/8e68eb41-3937-4678-97fe-aa15941ad753/
SH256 hash:
395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55
MD5 hash:
4687a0e5dcb5891f896668b095de22c6
SHA1 hash:
794cfe5811a6f63c1ded6ee000a0de205c371cc7
Link:
https://www.unpac.me/results/8e68eb41-3937-4678-97fe-aa15941ad753/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/395171260fafe84055b84b5cae4ddd1d48ae4c49088867ed7a4e58de2394ac55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144201/

Comments