MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
SHA3-384 hash: 9554f78ee5df8465913ae883da238b29f734dae808bcbd88cb8e658fb353b4d90f2c4d2351ccf39f4fd913b7325354ce
SHA1 hash: ca666ffa499ec1980e355bb6416da58300bb9148
MD5 hash: 1cc80b3efd15b9464056ad7b1a29a0d3
humanhash: finch-pizza-spaghetti-freddie
File name:W08347.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:889'856 bytes
First seen:2021-01-06 07:55:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:mLwQv3KRP4r5AeE72rQW7ajnekBaUdlmwrfK7yllUb6Cml5im5cYCgLtJ79ME:M8le22Mtdlmwrmy7UmCk5im5dp
Threatray 3'301 similar samples on MalwareBazaar
TLSH 3B15AE11B2453B99EC3C87B66078050193E2FD1ACB76E6BF7C9970DA05BBB4186F1932
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: Nguyen Anh <Nguyen@coimtra.cam>
Subject: R: I: R: R: R: R: R: ORDER W08347
Attachment: W08347.rar (contains "W08347.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
W08347.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:57:19 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/603aa012-8609-4625-8430-969924ae311d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110705/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574903
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 336511 Sample: W08347.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 41 www.videorv.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 6 other signatures 2->55 11 W08347.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\dYXGVJp.exe, PE32 11->33 dropped 35 C:\Users\user\...\dYXGVJp.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmp96C1.tmp, XML 11->37 dropped 39 C:\Users\user\AppData\...\W08347.exe.log, ASCII 11->39 dropped 65 Tries to detect virtualization through RDTSC time measurements 11->65 67 Injects a PE file into a foreign processes 11->67 15 W08347.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 ketonesconnect.com 192.185.117.218, 49757, 80 UNIFIEDLAYER-AS-1US United States 20->43 45 www.photomaker.pro 185.107.56.197, 49756, 80 NFORCENL Netherlands 20->45 47 20 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 control.exe 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 07:56:06 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdurvksls35hhw6dxw4yzj4eamn3npwvvj4qvt5ylusy45zyarfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a2c749fb299acc704d2744fa47b02d2ccc4f9a461be0d5ebaa829824e5fb329
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
6a552b03353efc74c7871b59d8844ee8990a224de336ca893e1b74d10cd4b16b
Formbook
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
Formbook
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
Formbook
f38659e0b47cf0d1c0a61aa87256fdf60d04b2f41a935995b2346849f2f6b246
Formbook
fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
fddfec9969308b3c56c582a490eae81ff859a962f055bbef69447e8e50ba317c
Formbook
fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920
Formbook
+ 3'291 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210106-1374psvlds/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
MD5 hash:
1cc80b3efd15b9464056ad7b1a29a0d3
SHA1 hash:
ca666ffa499ec1980e355bb6416da58300bb9148
Link:
https://www.unpac.me/results/01906c06-6923-48dc-9417-d9fcdad50c38/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/01906c06-6923-48dc-9417-d9fcdad50c38/
SH256 hash:
8c9f675653916e5122f05969ccb11bf7e77d2a0ceab0fc9227a0c374b6fac4b1
MD5 hash:
9de4d6519158a9b91c031aa184d360c7
SHA1 hash:
7c2cd4023a6ae5c7b335be5fab36d471734fef52
Link:
https://www.unpac.me/results/01906c06-6923-48dc-9417-d9fcdad50c38/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/01906c06-6923-48dc-9417-d9fcdad50c38/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar d32664aac63daed7ac81d5d763a8389ed04726f7d9781b1f112056a20d2e7942

Formbook

Executable exe 48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a

(this sample)

  
Dropped by
MD5 9f34b804128d4ac03bbb6abab79f5ed6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d32664aac63daed7ac81d5d763a8389ed04726f7d9781b1f112056a20d2e7942
Cape
Cape
https://www.capesandbox.com/analysis/110705/

Comments