MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474
SHA3-384 hash: 4bd3f7395221444ec5ead34234fe23e0fcc85f450fa3747eba1cd136435f7317f09915f325fc32f0d6660a98e965816c
SHA1 hash: 3b4da5ba14989a18614a91a844c67a6a8d8b6f84
MD5 hash: fe3d05f5903abce1faaf89b0afd3744e
humanhash: floor-six-winter-butter
File name:novi nalog je u prilogu.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:850'944 bytes
First seen:2021-04-19 15:59:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5460111dfb820e05d52b9be905fc0229 (2 x RemcosRAT, 1 x AveMariaRAT, 1 x NetWire)
ssdeep 12288:bQOsjN7IQRzxKvStQyXgSSxIg1vu/vh3XFFfor5KmNXB9isKRmp:ErjqQRVeSOywSSx91vi5XDf6AkK8
Threatray 4'724 similar samples on MalwareBazaar
TLSH 16056B21B250D4B3C03E19388D0B42F869A9BE30FD385C4676B5BD587EBE6503D6DA93
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Factura proforma, nuevo pedido.exe
Verdict:
Malicious activity
Analysis date:
2021-04-15 17:35:59 UTC
Tags:
installer trojan formbook stealer
Link:
https://app.any.run/tasks/1ecd8541-cc59-447f-9fb6-de88a6695ddc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/138603/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Mal.Generic-S.4110.10342.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/675938
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 386910 Sample: Factura proforma, nuevo ped... Startdate: 14/04/2021 Architecture: WINDOWS Score: 100 49 www.ziruixu.com 2->49 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 5 other signatures 2->63 11 Factura proforma, nuevo pedido.exe 17 2->11         started        signatures3 process4 dnsIp5 55 cdn.discordapp.com 162.159.133.233, 443, 49710, 49712 CLOUDFLARENETUS United States 11->55 77 Writes to foreign memory regions 11->77 79 Allocates memory in foreign processes 11->79 81 Creates a thread in another existing process (thread injection) 11->81 83 Injects a PE file into a foreign processes 11->83 15 secinit.exe 11->15         started        signatures6 process7 signatures8 87 Modifies the context of a thread in another process (thread injection) 15->87 89 Maps a DLL or memory area into another process 15->89 91 Sample uses process hollowing technique 15->91 93 2 other signatures 15->93 18 explorer.exe 6 15->18 injected process9 dnsIp10 51 www.joomlas123.info 199.192.24.139, 49735, 80 NAMECHEAP-NETUS United States 18->51 53 www.wv0uoagz0yr.biz 18->53 39 C:\Users\user\AppData\Local\...\0v1xvuduf.exe, PE32 18->39 dropped 41 C:\Program Files (x86)\Xptbxn\0v1xvuduf.exe, PE32 18->41 dropped 65 System process connects to network (likely due to code injection or exploit) 18->65 67 Benign windows process drops PE files 18->67 23 rundll32.exe 1 18 18->23         started        27 0v1xvuduf.exe 18->27         started        file11 signatures12 process13 file14 43 C:\Users\user\AppData\...\8LOlogrv.ini, data 23->43 dropped 45 C:\Users\user\AppData\...\8LOlogri.ini, data 23->45 dropped 69 Detected FormBook malware 23->69 71 Creates an undocumented autostart registry key 23->71 73 Tries to steal Mail credentials (via file access) 23->73 75 4 other signatures 23->75 29 cmd.exe 2 23->29         started        33 cmd.exe 1 23->33         started        signatures15 process16 file17 47 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->47 dropped 85 Tries to harvest and steal browser information (history, passwords, etc) 29->85 35 conhost.exe 29->35         started        37 conhost.exe 33->37         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkavgpdyrexswvywndxzy5ym5hae5ysjhfyebw43lf262r3acr2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
17dba25e41a7c193a9abafca9194574ff970d56c1defec9a1d4fed04590d9ec4
Formbook
259275b0c056a9fec50378b2d268c48447e8ebe8827e8e55aae4484aba8b1939
Formbook
2603b0dcc1b176f9d981e0c683ab8407fb8040f5674fd21c2fbdfb3bf963982c
Formbook
3e57610037924c21124e91f187f11f45e1d1cc44de45a1d965cd29a92d56f450
Formbook
3fda3b75f031e3800ff8714a936af691dafd64ae8f08a2d5cc8df19363391c09
Formbook
61ae615d6ba5629463cec961aa950f737fea8ccc413a677058eb8dccfcdb2561
Formbook
9381faa9dcbde308f4ce87d5dfc36b6a5e8e2a263057ecb2d8f8840061ac2a58
Formbook
c32dee06d3afee022d74b45536699ed2d6458d39dff35d4830cb9febecdb8143
Formbook
cff20b43e7c12b27611bb33a9b77357af443ede89860134e43d48095949abd15
Formbook
fc1f23fd25b2eeb98a872bd0152b891d505e06e56db8f270b1e2a52462a6ecc8
Formbook
+ 4'714 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210419-vjn8p78y1e/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/3nop/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
FakeHadoc
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 4dbe0f5d2889bd7b4cc488e10c688480f7e57db544bf779cc6fbdaf0db5536cd

Formbook

Executable exe 5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474

(this sample)

  
Dropped by
MD5 a8b43a9cb30e654685a9fe635d74b80b
  
Dropped by
SHA256 4dbe0f5d2889bd7b4cc488e10c688480f7e57db544bf779cc6fbdaf0db5536cd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/138603/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-19 16:03:30 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0012.001] Anti-Static Analysis::Argument Obfuscation
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0007] Memory Micro-objective::Allocate Memory
13) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
16) [C0038] Process Micro-objective::Create Thread
17) [C0041] Process Micro-objective::Set Thread Local Storage Value
18) [C0018] Process Micro-objective::Terminate Process