MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb
SHA3-384 hash: 3f9937d98735d670b86fc04ecae37cf1b182075d999a0c9d0150b2d559f02d6fa12771dcef44ecf89acb8ae559cd9e83
SHA1 hash: dad33bf780689066ae031d197752351a4f6f010c
MD5 hash: 8ca361d3527acb6764936e91d93813d3
humanhash: lamp-ack-mountain-nuts
File name:Purchase Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:746'496 bytes
First seen:2020-10-22 06:44:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:4t3DTLCzpKP7+2ZgFxV8WxPuazgKd5dtfa88K2uBu8AvSQZROZ/P3536QttmtQP5:4RTLwpWZ8tbPO8
Threatray 2'607 similar samples on MalwareBazaar
TLSH 11F48DAD726072EFC85BD4729EA81D74FB6064BB831B4203A42715ADDE4D897CF244F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vps.fore-mbaume.com
Sending IP: 45.95.169.145
From: Mashalla.Gogadi <info@fore-mbaume.com>
Subject: Purchase Order
Attachment: Purchase Order.r11 (contains "Purchase Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74480/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506635
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302491 Sample: Purchase Order.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 13 other signatures 2->52 10 Purchase Order.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\PRKsGFQx.exe, PE32 10->32 dropped 34 C:\Users\...\PRKsGFQx.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp5491.tmp, XML 10->36 dropped 38 C:\Users\user\...\Purchase Order.exe.log, ASCII 10->38 dropped 62 Writes to foreign memory regions 10->62 64 Injects a PE file into a foreign processes 10->64 14 MSBuild.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 2 other signatures 14->72 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 arg-gccgroup.com 104.156.51.230, 49734, 80 HVC-ASUS United States 19->40 42 www.notaryplusmorellc.com 216.239.38.21, 49733, 80 GOOGLEUS United States 19->42 44 3 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 systray.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 02:31:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kl27nhhks5ey6y3thy7kio3h5babo7di2q3qkmnabddop5h4tk5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
049a7c8bf4126088f12bcdbe2e1d5bbe5e341cfddda7959379c93a4036546200
Formbook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
Formbook
7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a
Formbook
887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
Formbook
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Formbook
d30e5bd3a0ec9e64eea4363751655f0267d7ffb00a9552862179cd8cf6caa6c0
Formbook
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
Formbook
ffe7e9077f89d196d10951c789e7c466ae0949c2bdb14c0b0d0e3755aee7029d
Formbook
+ 2'597 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201022-3n1yk4ztc6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.kiddikutter.site/ry0g/
Unpacked files
SH256 hash:
52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb
MD5 hash:
8ca361d3527acb6764936e91d93813d3
SHA1 hash:
dad33bf780689066ae031d197752351a4f6f010c
Link:
https://www.unpac.me/results/6b33c1be-7736-454f-811b-0879ef9e212d/
SH256 hash:
dee6a9039e4915fefc503883595fb24dad12270acf010de030dd08ce89be1636
MD5 hash:
25842276b6609b2ed072a57f349a973b
SHA1 hash:
701a9fc355f2ce87b802550be129e726feb2020c
Link:
https://www.unpac.me/results/6b33c1be-7736-454f-811b-0879ef9e212d/
SH256 hash:
a14b60cb0b5e824d0d5f15b403f39b96abf58cc7de3b8c8f2b34a6df1bc35cbd
MD5 hash:
9606e6d0044d5ad00a71a95a61ca9ffc
SHA1 hash:
d3c83d485ed235d9be4ecaecc23577478d1f7b28
Link:
https://www.unpac.me/results/6b33c1be-7736-454f-811b-0879ef9e212d/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/6b33c1be-7736-454f-811b-0879ef9e212d/
SH256 hash:
045a97c9e8e414d4cbefdc6b0c418475acd6e7704251a3e7dc309ddade84633d
MD5 hash:
146253e8d0f5e14ba40d8eaa920c87ca
SHA1 hash:
f1c9e84195ffece79656a9ceb49bd80809651828
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b33c1be-7736-454f-811b-0879ef9e212d/
Parent samples :
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 94437e2ce2954ffebd092a0688234de000e19a8d04631ba2a3675f2362e4bbc7

Formbook

Executable exe 52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb

(this sample)

  
Dropped by
MD5 dd383d983dd0c2f07cc8c9b3aa16db16
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74480/
  
Dropped by
SHA256 94437e2ce2954ffebd092a0688234de000e19a8d04631ba2a3675f2362e4bbc7

Comments