MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358
SHA3-384 hash: ef9cc56c02d5628e96b757467b92000102fa5eb59bb254bcb23199df3fc2e962fbc4bb829c305a65092a3f3b06e333d7
SHA1 hash: 64a659096deda60c37861ddc0d26d3bfb11cc0c7
MD5 hash: 4bb710142c4fa183e24dbd3ce3c7b51d
humanhash: white-california-aspen-spring
File name:PO.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:542'208 bytes
First seen:2021-04-12 12:23:15 UTC
Last seen:2021-04-12 13:09:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:laRZszqqB3PQhPp5owXoJSq5Qbxn09z2Oe:tzqIgfobC909S
Threatray 4'703 similar samples on MalwareBazaar
TLSH 77B4DF2A77812962C60D0E37496B28DC02F1C2277671F32F7CC625D89E27B5E563F626
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm51.hanmail.net
Sending IP: 203.133.180.239
From: Jaeho Lee <bjk8116@daum.net>
Subject: KHE RFQ No. PG6432 PROJECT Reactor/ Heat exchangers/ Materials/Equipment _KOC JURASSIC PRF Canada
Attachment: SHELL-RFQ-Project.cab (contains "PO.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2021-04-12 12:31:52 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/3707a61e-96c5-4ac3-a336-cb0f542e849b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133750/
Detection(s):
SecuriteInfo.com.Artemis4BB710142C4F.16969.23932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
DNS request
Sending a custom TCP request
Creating a window
Creating a process from a recently created file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673019
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385455 Sample: PO.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 33 www.oaisdjoqwekxc.info 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 11 PO.exe 15 4 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 11->31 dropped 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->61 63 Injects a PE file into a foreign processes 11->63 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.wwwflixxy.com 81.17.18.197, 49759, 80 PLI-ASCH Switzerland 18->35 37 www.marienish.com 88.198.220.232, 49757, 80 HETZNER-ASDE Germany 18->37 39 9 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 01:32:00 UTC
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jeb5excjbynwzcm4j645hu7lc3lzzabcixkmfnth74dpijze4nma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1190cb66d731098dffb19ac78c746e5d71e25783921c3bb6f60ab5133233b3ce
Formbook
1b1837b1504714c306a023b8488d15e81b939b6394ff511fb619fa38f264622a
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
55331826334c40684761a600afab45a3d05b2582a89a59fb703085db81dfe794
Formbook
59a6f0a402a4172f893c1747b51c7e1a7d6092fe091e1a9497067849efb5eec2
Formbook
8160be86cfef6146d2b7aad72e89cfe0a7cb7e11514107782d8cf7a372ea6c48
Formbook
94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e
Formbook
a86f792a5a3d424b756508cb462d3ca9b454f2513a5471df5d41da33649748e9
Formbook
be21a04e569e33cd679253ccd203ce99370d66a800f911c7b5c8e45b6faae66b
Formbook
c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23
Formbook
+ 4'693 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader agilenet loader rat
Link:
https://tria.ge/reports/210412-3sq74yg2dx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.retro-e-scooter.com/sawc/
Unpacked files
SH256 hash:
4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358
MD5 hash:
4bb710142c4fa183e24dbd3ce3c7b51d
SHA1 hash:
64a659096deda60c37861ddc0d26d3bfb11cc0c7
Link:
https://www.unpac.me/results/a8006510-ff68-47e3-b2da-7cf13658dff6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab 3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a

Formbook

Executable exe 4903d25c490e1b6c899c4fb9d3d3eb16d79c802245d4c2b667ff06f42724e358

(this sample)

  
Dropped by
MD5 111325614561306dcfbbb69f1c83a613
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133750/
  
Dropped by
SHA256 3361c124c5310bd0ec210907338a93a7f6cdb1313c78c8af72e385813913728a

Comments