MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000
SHA3-384 hash: eb4b361190d9ecd4a4700181d045c49362b0ce5ab6d2ea842fde231aaf24f83726c72a1861cb8fa1d93bb8ccf60fd59d
SHA1 hash: c38d153841d5d05a10ff2e55e8de6753caae978f
MD5 hash: 207e1c712597de0900f79e262f59d632
humanhash: glucose-emma-saturn-beryllium
File name:Lista comenzii noastre.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'607'680 bytes
First seen:2020-10-13 12:30:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:vAHnh+eWsN3skA4RV1Hom2KXMmHalWKkowX38bOC+dfJvcyPUlO85E5:Sh+ZkldoPK8YaYSwX2z+dfJvcyTF
Threatray 2'445 similar samples on MalwareBazaar
TLSH A675AF026755E1AFFE9663734E17EA002179A8A444227B2EA3DC1EFCE87C47D713E152
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.linux92.papaki.gr
Sending IP: 195.201.61.173
From: Ioana Tataran <info@bibusmetals.ro>
Subject: Re: Re: Comandă de achiziție
Attachment: Lista comenzii noastre.zip (contains "Lista comenzii noastre.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70446/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.EmbeddedEXE-5.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-3.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Enabling autorun by creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489666
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Creates an undocumented autostart registry key
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 297276 Sample: Lista comenzii noastre.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 50 www.online-marketing-strategie.biz 2->50 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 6 other signatures 2->74 11 Lista comenzii noastre.exe 4 2->11         started        15 wscript.exe 1 2->15         started        signatures3 process4 file5 46 C:\Users\user\avifil32\bdeunlock.exe, PE32 11->46 dropped 48 C:\Users\user\AppData\Roaming\...\SrTasks.url, MS 11->48 dropped 86 Maps a DLL or memory area into another process 11->86 17 Lista comenzii noastre.exe 11->17         started        20 bdeunlock.exe 15->20         started        signatures6 process7 signatures8 54 Modifies the context of a thread in another process (thread injection) 17->54 56 Maps a DLL or memory area into another process 17->56 58 Sample uses process hollowing technique 17->58 60 Queues an APC in another process (thread injection) 17->60 22 explorer.exe 17->22 injected 62 Antivirus detection for dropped file 20->62 64 Multi AV Scanner detection for dropped file 20->64 66 Binary is likely a compiled AutoIt script file 20->66 26 bdeunlock.exe 20->26         started        28 bdeunlock.exe 20->28         started        30 bdeunlock.exe 20->30         started        32 19 other processes 20->32 process9 dnsIp10 52 www.duftkerzen.info 91.195.241.136, 49756, 80 SEDO-ASDE Germany 22->52 84 System process connects to network (likely due to code injection or exploit) 22->84 34 chkdsk.exe 1 18 22->34         started        signatures11 process12 file13 42 C:\Users\user\AppData\...\8LOlogrv.ini, data 34->42 dropped 44 C:\Users\user\AppData\...\8LOlogri.ini, data 34->44 dropped 76 Detected FormBook malware 34->76 78 Creates an undocumented autostart registry key 34->78 80 Tries to steal Mail credentials (via file access) 34->80 82 4 other signatures 34->82 38 cmd.exe 1 34->38         started        signatures14 process15 process16 40 conhost.exe 38->40         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 08:18:18 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdjcsrh567hwn7iueo3kwloqcq6znng3pek6bcairohye3kgwaaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
Formbook
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
Formbook
61ce52bb7cf517275e2bea379104a392630ec8dc216790a910f4586efbdca4fb
Formbook
73be7382d0c307a958973954111725315843e7d089c29fe826a5bc892332381d
Formbook
86d0178097eebb5010e24650ce79f80f19567ad2872f0f0b7325761a01cf67f5
Formbook
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
Formbook
a6534d12c87d0d8093cad2787b01a05c6caa0771f1b1cb51b809ee1ae9f48044
Formbook
be29f9be4b998a7893c2c182c972406067eaf913364484a1fa824133d71ef54f
Formbook
e95f01bbde0fbd70670b820b972768e7fc5f23509495c805ddbc3271030f443c
Formbook
f4cbb077c89f62bb6542489c882b324e8e2880dc3970e2540e61d1d25fff157a
Formbook
+ 2'435 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/201013-qm116bpyfa/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Drops startup file
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/3nop/
Unpacked files
SH256 hash:
48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000
MD5 hash:
207e1c712597de0900f79e262f59d632
SHA1 hash:
c38d153841d5d05a10ff2e55e8de6753caae978f
Link:
https://www.unpac.me/results/0ccae8c9-f5a1-481f-9683-59f8370863de/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/48d22944fdf7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 41b61b1b6d2e01fe382dc6fae97862e773270c6606912d343b2230647caf07c4

Formbook

Executable exe 48d22944fdf7cf66fd1423b6ab2dd0143d96b4db7915e088088b8f826d46b000

(this sample)

  
Dropped by
MD5 ee85d72d23c5ac0114c161e77133bd07
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70446/
  
Dropped by
SHA256 41b61b1b6d2e01fe382dc6fae97862e773270c6606912d343b2230647caf07c4

Comments