MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c
SHA3-384 hash: aae0e3d71d8018715b03f79056d988c3d6f0e3bbe1bf09ffd7d0346ac706da0989b2243072bbdbca1cf11eaa16b289e5
SHA1 hash: ccf670892b360b42fa7426de02a3e7629f333841
MD5 hash: fa181a9414347d63137af021b2141cd6
humanhash: floor-burger-freddie-twenty
File name:ORDER_LIST.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'163'776 bytes
First seen:2021-01-19 07:31:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:AMblHZvkdJxcSOzaI+7VnlGJ2d6qCGw/geVurSGbDk:jHZvkdJxMuX5las6qfw/g5rVb
Threatray 3'492 similar samples on MalwareBazaar
TLSH C335BF11638DDB21D7FC56FAAC0055A073ADED42F658E77CD9B2B0C66871E6800DEB82
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: smtp2.hiworks.co.kr
Sending IP: 121.254.168.210
From: 조재민 <newiz8@dsmecasys.com>
Reply-To: "조재민" <newiz8@dsmecasys.com>
Subject: ORDER_JANUARY
Attachment: ORDER_LIST.LZH (contains "ORDER_LIST.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER_LIST.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 07:41:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae52b06b-3ecd-4b18-8186-88f13be6f273

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112788/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584699
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341384 Sample: ORDER_LIST.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 10 ORDER_LIST.exe 7 2->10         started        process3 file4 33 C:\Users\user\AppData\...\bEWIuckEckK.exe, PE32 10->33 dropped 35 C:\Users\...\bEWIuckEckK.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmp5599.tmp, XML 10->37 dropped 39 C:\Users\user\AppData\...\ORDER_LIST.exe.log, ASCII 10->39 dropped 67 Tries to detect virtualization through RDTSC time measurements 10->67 14 ORDER_LIST.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 Queues an APC in another process (thread injection) 14->75 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 41 www.greatlookfashion.club 172.67.163.19, 49733, 80 CLOUDFLARENETUS United States 19->41 43 shops.myshopify.com 23.227.38.74, 49742, 80 CLOUDFLARENETUS Canada 19->43 45 2 other IPs or domains 19->45 59 System process connects to network (likely due to code injection or exploit) 19->59 25 chkdsk.exe 12 19->25         started        signatures10 process11 dnsIp12 47 192.168.2.1 unknown unknown 25->47 49 www.ignition.guru 25->49 61 Modifies the context of a thread in another process (thread injection) 25->61 63 Maps a DLL or memory area into another process 25->63 65 Tries to detect virtualization through RDTSC time measurements 25->65 29 cmd.exe 1 25->29         started        signatures13 process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:32:19 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hiccstduyb3naf5mr5m3kbxxgvkh2mkhf52ibs3gklpkly5cqfwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3809041ce9fcb7f00674e65db2fd63f94373df583d6e3e869943aeb08b34ad28
Formbook
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
Formbook
6c38cd22154fec33d60c57f97e3a4d09d481f30422c2d0b1a6a65ea65639dd69
Formbook
75f121f9048171649f3ba28afcd30a1dcd668266717b0d98e8bac88afe411fe7
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
a2d9b5d16fcae146b34d3ed40bb6444d4b4bb497ed63e8f4d720af4d24cb5450
Formbook
bee8a22eb4d9075c2ad9afd608787229af9cb1d76404f7fbc30e6984b7f3f872
Formbook
bf6af5ed0a5504358dc8a24b7b37c5f7ed9ed7e6b2760b64e0650a845880d3ed
Formbook
cb9e52fd5d9184843d3d0a1b79e604e1c19be1a09df19c2f444632d716c30e9e
Formbook
ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
Formbook
+ 3'482 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-91zkkk8dtx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.merckcbd.com/dei5/
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/0eb8b524-b5a0-4e4d-9090-0f1daa68e6a9/
SH256 hash:
3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c
MD5 hash:
fa181a9414347d63137af021b2141cd6
SHA1 hash:
ccf670892b360b42fa7426de02a3e7629f333841
Link:
https://www.unpac.me/results/0eb8b524-b5a0-4e4d-9090-0f1daa68e6a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f8d642c0149c9f660b45974b5dc2e6092a645aa74756c5a6afcb1fa3d8075607

Formbook

Executable exe 3a04294c74c076d017ac8f59b506f735547d31472f7480cb6652dea5e3a2816c

(this sample)

  
Dropped by
MD5 e654ee17f609cf6216a6e945efa67a70
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112788/
  
Dropped by
SHA256 f8d642c0149c9f660b45974b5dc2e6092a645aa74756c5a6afcb1fa3d8075607

Comments