MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
SHA3-384 hash: 36e7a80a6a394cfd3f0ff0e626876b4a1fc1a9e1f28e213cd139ba603946fedab94e70d53b9145c9a2e358912004ec08
SHA1 hash: 5b4be665cc0266681360de1902fb7b2a39d21ebc
MD5 hash: 7000bdc34c98a8e3e378d1ebb752c848
humanhash: spring-oxygen-fourteen-hydrogen
File name:RevisedPO.24488_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:404'992 bytes
First seen:2021-01-25 13:27:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:WoIHTM8hkaqTUv/4TMV+J0F8+g/qA+E0h/KnirdfnAu71NV6G1IrVaZ3aOi7KfTQ:WoVXnQfJJHLei4eI5/DM5Jjs
Threatray 3'627 similar samples on MalwareBazaar
TLSH BB84D0305E7F4A1FD83D17B26122E9714BE63560E55B8A5AB1FF62CE017B7124802F8E
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RevisedPO.24488_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-25 13:31:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad37036e-2cd7-4177-86c2-f2f9a2163f92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113707/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/589414
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343722 Sample: RevisedPO.24488_pdf.exe Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 10 RevisedPO.24488_pdf.exe 2 2->10         started        process3 dnsIp4 39 192.168.2.4, 443, 49228, 49285 unknown unknown 10->39 57 Tries to detect virtualization through RDTSC time measurements 10->57 14 RevisedPO.24488_pdf.exe 10->14         started        17 WerFault.exe 23 9 10->17         started        signatures5 process6 dnsIp7 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 20 explorer.exe 14->20 injected 31 192.168.2.1 unknown unknown 17->31 signatures8 process9 dnsIp10 33 radioroutiers.com 91.234.195.123, 49776, 80 RMI-FITECHFR France 20->33 35 luxpropertyandassociates.com 34.102.136.180, 49771, 80 GOOGLEUS United States 20->35 37 6 other IPs or domains 20->37 49 System process connects to network (likely due to code injection or exploit) 20->49 24 cmstp.exe 20->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-01-25 04:52:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iihqmeb7vrqhucf4p72voia77rp4j5utvjjn7fdwc4pnkomnrp2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
Formbook
5b59e08e82994cd78df8856c5d7cfd4b30be947a9f7329af1a13d47652b189fc
Formbook
7b2dc8bed33f845ef9929cdcfa5e896312443bb7c9fc7c79e586018653de6791
Formbook
7ea2c8d69111747b33a25c445e7f3fabd30f9b1d74d45383f87e6d6451248a53
Formbook
8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a
Formbook
a026f6e6988f126a35bb044b7215fa5fb20a41a3b3bac722bfb7f53e670cc0f4
Formbook
a8f4da2076bc00264891bc7872e70f245f47807c268fb921fc135b711c817b34
Formbook
db22f0cb9581f21a73f9221cb57c49b5e4f698021754eaa30fdbde8db72ad333
Formbook
f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
Formbook
fe0ebbec69296e6fa9073104bb2f1448bdeeeb040511af7b3bad04fa529da38c
Formbook
+ 3'617 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210125-8nezz79mzj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.zglvyouzaixian.com/nki/
Unpacked files
SH256 hash:
baec4fb81ec94319605f9dbc999dcb8899bae7e732ac0525b623936e58fbc349
MD5 hash:
fcc35f06dd386060e8d471f80d1a6173
SHA1 hash:
7413eb0d0fccdd15feb5ffe33ca4d8398fe6b33f
Link:
https://www.unpac.me/results/a34068d9-eb54-49ec-b979-f122cea7bfbe/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/a34068d9-eb54-49ec-b979-f122cea7bfbe/
SH256 hash:
292a5bc45419b570fb32d43a8652e79cee353599da4588afae44400e6f3bf82e
MD5 hash:
8bfeecf2c89b495113aa0db7e507bb0d
SHA1 hash:
d0269be2fc9ee7dd8f4cac812d37b7905e7d8dd7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a34068d9-eb54-49ec-b979-f122cea7bfbe/
Parent samples :
f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
0ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
db22f0cb9581f21a73f9221cb57c49b5e4f698021754eaa30fdbde8db72ad333
420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
SH256 hash:
420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5
MD5 hash:
7000bdc34c98a8e3e378d1ebb752c848
SHA1 hash:
5b4be665cc0266681360de1902fb7b2a39d21ebc
Link:
https://www.unpac.me/results/a34068d9-eb54-49ec-b979-f122cea7bfbe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/420f06103fac607a08bc7ff557201ffc5fc4f693aa52df9476171ed5398d8bf5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113707/

Comments