MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085
SHA3-384 hash: c4baae7eb696bbfa812b185eb69ae8de8713d941cab5647c03d5b76f2ae2c9b0e3b64c27bbd4b3cce36860e69d73db8c
SHA1 hash: 5169ecdef6266083ac96ff782cb347de5033f549
MD5 hash: e9025b6192ef63a0f4e860cd5c1c84bb
humanhash: alpha-eighteen-burger-table
File name:PO_210301.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'062'400 bytes
First seen:2021-03-01 07:26:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:LWtXU/aQh3qh1Q0/QT3GurPdc1DeDBwQYxxCTo4O8RhZOZi970ewFSBBfyTSpm5C:K23qhRQT3NoDyYa88RhZOZIw
Threatray 3'970 similar samples on MalwareBazaar
TLSH E0356BAE3650B6DFC497CE3689641C24EBA0B4B7831BD203A45316EDDA4D99BCF141F2
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm86.hanmail.net
Sending IP: 211.231.106.161
From: 백가람 <cgn65@hanmail.net>
Subject: 발주서 - (IL/남도_PO_210301)
Attachment: PO_210301.cab (contains "PO_210301.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_210301.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 07:37:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10107da0-455e-4503-81db-35bc0a87d996

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120128/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621743
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359859 Sample: PO_210301.exe Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 41 www.jameshamiltonphoto.com 2->41 43 www.avonvalleycollege.com 2->43 45 3 other IPs or domains 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 11 other signatures 2->59 11 PO_210301.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\qQILrqWo.exe, PE32 11->33 dropped 35 C:\Users\...\qQILrqWo.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmp2AEA.tmp, XML 11->37 dropped 39 C:\Users\user\AppData\...\PO_210301.exe.log, ASCII 11->39 dropped 69 Detected unpacking (changes PE section rights) 11->69 71 Detected unpacking (overwrites its own PE header) 11->71 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Injects a PE file into a foreign processes 11->75 15 PO_210301.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 47 creativecardsnappanee.com 208.93.159.61, 80 TECHPRO-01US United States 20->47 49 peakorgmush.net 34.102.136.180, 49756, 80 GOOGLEUS United States 20->49 51 3 other IPs or domains 20->51 61 System process connects to network (likely due to code injection or exploit) 20->61 26 msdt.exe 20->26         started        signatures11 process12 signatures13 63 Modifies the context of a thread in another process (thread injection) 26->63 65 Maps a DLL or memory area into another process 26->65 67 Tries to detect virtualization through RDTSC time measurements 26->67 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 07:27:15 UTC
AV detection:
16 of 48 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kclbourapzbzvp2az4k5chja6xb5tnuam7sxdqyctr5442p74ccq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
Formbook
201af2ab950f9aefa7da227b0efdfe0bc005ca77c9ab0284549b081cced51e52
Formbook
219e1bcb43db44538c443e303f0f8849bc44382e3ab6575f4419df311e55dbc7
Formbook
393b127088802012cba2a9b9065c17069669c919e6513b34f57d30d12f631d76
Formbook
5180e6ef19db039d8365f3cb9690424e61504a80ab94a12738a633b6cdc5fccb
Formbook
56368dfb68347ec22ba4d8d1d16e1acc9dbf37acf30803ef92f75f27f0a6a6a5
Formbook
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Formbook
5d617282230f991221360f213e15b0e62d0c462afc3d32299c9b410658fbb106
Formbook
8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c
Formbook
b69927fbfd7eb038b59aa9b7e9f49cb02d127d48fcf6517e65a379e982e806bc
Formbook
+ 3'960 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210301-8x6ca27mee/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.avonvalleycollege.com/kbc/
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/90538abe-1187-451f-948c-ee4884b38531/
SH256 hash:
50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085
MD5 hash:
e9025b6192ef63a0f4e860cd5c1c84bb
SHA1 hash:
5169ecdef6266083ac96ff782cb347de5033f549
Link:
https://www.unpac.me/results/90538abe-1187-451f-948c-ee4884b38531/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab 28add1849af4092c14f4fa91c13463756ae9968e1072b08fa4ff963b7aaa107e

Formbook

Executable exe 50961752207e439abf40cf15d11d20f5c3d9b68067e571c3029c7bce69ffe085

(this sample)

  
Dropped by
MD5 1d4fefd79e90a16b35d968857e3f26fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120128/
  
Dropped by
SHA256 28add1849af4092c14f4fa91c13463756ae9968e1072b08fa4ff963b7aaa107e

Comments