MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47b3c7d88103ff95fa9a87b1b71e9ce815a745cc895394680b777590b98aac60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47b3c7d88103ff95fa9a87b1b71e9ce815a745cc895394680b777590b98aac60
SHA3-384 hash: 3ecf3ea9368afa7c1c3b8818a6f9b1d97d51c2eb83bf20ce50ce3451af70493129cca2029e38b351855d44f9fee6094e
SHA1 hash: ddecbae0dfebb435ac23e85827cf3742b444d97e
MD5 hash: 7a59945b44081137d7c0fc468435c8a4
humanhash: alaska-minnesota-butter-iowa
File name:Shipment Document BL,INV and packing list.jpg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:91'648 bytes
First seen:2021-11-19 15:29:49 UTC
Last seen:2021-11-19 18:05:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 1536:i/wqnpLm5cVmsy+BRqm1J3oXoeKcxwY0fHqsOwC+MFIxwWevKQbFtDdD0ip:ioqpLmSVmsykF1dKoeKcSFOWMFQZVgvr
Threatray 9'849 similar samples on MalwareBazaar
TLSH T1EC93D0247B805772CB50093285DB49B00BFD3A51EA42267BD6B0A93F7DF03766B69734
File icon (PE):PE icon
dhash icon de7464e4d4f2f264 (1 x Formbook, 1 x SnakeKeylogger)
Reporter Anonymous
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document BL,INV and packing list.jpg.exe
Verdict:
Malicious activity
Analysis date:
2021-11-19 15:43:30 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0a4811ed-fa7f-4c18-ad4c-6798e93237f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.1577.13216.27030.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6197c2ff2695a62af9f3e902/reports/4076f3e3-aef5-4ed8-a636-10a562b4b560/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6dff011-805f-4c54-ad54-17b81ca6c267
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892754
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525228 Sample: Shipment Document BL,INV an... Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 9 other signatures 2->49 10 Shipment Document BL,INV and packing list.jpg.exe 15 6 2->10         started        process3 dnsIp4 41 milax.cf 37.0.11.230, 49753, 80 WKD-ASIE Netherlands 10->41 35 Shipment Document ...acking list.jpg.exe, PE32 10->35 dropped 37 Shipment Document ...exe:Zone.Identifier, ASCII 10->37 dropped 39 Shipment Document ...ng list.jpg.exe.log, ASCII 10->39 dropped 14 Shipment Document BL,INV and packing list.jpg.exe 10->14         started        17 conhost.exe 10->17         started        19 Shipment Document BL,INV and packing list.jpg.exe 10->19         started        file5 process6 signatures7 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 21 explorer.exe 14->21 injected process8 process9 23 help.exe 16 21->23         started        file10 31 C:\Users\user\AppData\...\27Alogrv.ini, data 23->31 dropped 33 C:\Users\user\AppData\...\27Alogri.ini, data 23->33 dropped 51 Detected FormBook malware 23->51 53 Tries to steal Mail credentials (via file / registry access) 23->53 55 Tries to harvest and steal browser information (history, passwords, etc) 23->55 57 Tries to detect virtualization through RDTSC time measurements 23->57 27 cmd.exe 1 23->27         started        signatures11 process12 process13 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47b3c7d88103ff95fa9a87b1b71e9ce815a745cc895394680b777590b98aac60/
Threat name:
ByteCode-MSIL.Backdoor.Blakken
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 06:25:24 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i6z4pwebap7zl6u2q6y3ohu45ak2oromrfjzi2alo52zbomkvrqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
074135bb9026efbce79d86f3cf9f6eeb7304905cad07d594e3453eeed6f187de
Formbook
0789b4aec138cf9c5bc3b01774fc8ed075dadf40c8ecf97058c201c9de22160e
Formbook
10cb1836c9ad0c738ca0c95b748075b4c035f6edd8c07f41735a1ebc9c352eff
Formbook
4d88b7c45db03545e9efd2f6e07d838849a43594f6a425c05189ca93317a667b
Formbook
67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0
Formbook
afb0dcb294330abe26a2e2611f36441607a878844a251bea8be3e9407e238ad8
Formbook
b66060a214c372ff66b8917fee39b5cb6c82972cf7cdfcd64b9ae4b7b7e01bf7
Formbook
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Formbook
daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a
Formbook
db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28
Formbook
+ 9'839 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e6b3 rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/211119-sxg8hsagcm/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
Malware Config
C2 Extraction:
http://www.xn--7tq168cfwa.xn--6qq986b3xl/e6b3/
Unpacked files
SH256 hash:
47b3c7d88103ff95fa9a87b1b71e9ce815a745cc895394680b777590b98aac60
MD5 hash:
7a59945b44081137d7c0fc468435c8a4
SHA1 hash:
ddecbae0dfebb435ac23e85827cf3742b444d97e
Link:
https://www.unpac.me/results/c448074c-219f-40aa-b3a7-0ec041d54846/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/47b3c7d88103/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/47b3c7d88103ff95fa9a87b1b71e9ce815a745cc895394680b777590b98aac60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207640/

Comments