MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 537a68d984e9b974cd9dc6977e0fab23ddc151bcd1010427b274d0895499ac2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 537a68d984e9b974cd9dc6977e0fab23ddc151bcd1010427b274d0895499ac2e
SHA3-384 hash: 8678f8c61c7f06405148ad0798b1da99fba2ce64ea2e5414fce8f531e15f7686c2a5818f41141c954b9c9d8acb08d833
SHA1 hash: 84536032b875b73fba422aa519645dfe5f0366fb
MD5 hash: 5fbecfdf60693b2f3e620d85155c0979
humanhash: east-wisconsin-alanine-spaghetti
File name:RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'016'832 bytes
First seen:2021-04-05 06:35:39 UTC
Last seen:2021-04-05 08:24:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:HfRVxFDVp0PRkqDVl6+3NRPOUI3a3bi1Zh+I9tvAlTnvuRftPzG22AczjJCp+5bb:pvF+RkqWyPQqLibh+I9tolTnMlqmYrV
Threatray 4'503 similar samples on MalwareBazaar
TLSH 8D25E01139A54224FDAA1F740863907103B7BE417D2CE98EADDD3E0D7F33AC6D6126A6
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-05 06:52:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/862662ee-cfd3-49af-9943-cac53080ed4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132169/
Detection(s):
SecuriteInfo.com.Artemis5FBECFDF6069.26629.24993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/154193c1-7a39-40ad-9d0c-376001c0a3cf
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665829
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381840 Sample: RFQ-415532-Refractory Mater... Startdate: 05/04/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 8 other signatures 2->42 10 RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exe 3 2->10         started        process3 file4 28 RFQ-415532-Refract...wait...xlsx.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 RFQ-415532-Refractory Materials for KNPC PROJECT_Tender in Kuwait...xlsx.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.detanglerinfo.com 107.165.116.66, 49738, 80 EGIHOSTINGUS United States 17->30 32 www.gjlnkfdx.com 132.232.94.63, 49729, 80 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/537a68d984e9b974cd9dc6977e0fab23ddc151bcd1010427b274d0895499ac2e/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-04-05 06:36:12 UTC
AV detection:
3 of 48 (6.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kn5grwme5g4xjtm5y2lx4d5lepo4cun42eaqij5sotiisvezvqxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11f06223417d6045acaa15cf7f5515d9afdfc23590c9cd021c2ae90a736bb6cd
Formbook
53de22812c250114c4a25de969ccebefc8a9ca7044974db873ee29c78209cf84
Formbook
66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a
Formbook
97d4de7a9478320c718f18c0f57349cfc611f5dee0aab5271304e4670e63d2a8
Formbook
9f38ade8e53d28eef33a81e0559b92b44fa878ae9b61fadd3bb245d33486e2c0
Formbook
a3e88ba1ba4bf1a30735faff236af3186b1f3bec9bac6095c0cc579ba3781c76
Formbook
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
Formbook
bb21e5cc104a482d8d806a79b75f20781bde73dfb3ac59d6cd58fed12e9757e5
Formbook
bde11e5f0bd0e97d5fec3572de59518b300d0a27602c25d9699d8fc030022cb1
Formbook
cc0c4f8f34907be8839ae185fa40e5d7ad5279b70067a3279501d18483b590a7
Formbook
+ 4'493 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210405-8q9919dkea/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.detanglerinfo.com/tboh/
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/4fcce6ad-4b50-4c47-b7bd-f721a2138942/
SH256 hash:
537a68d984e9b974cd9dc6977e0fab23ddc151bcd1010427b274d0895499ac2e
MD5 hash:
5fbecfdf60693b2f3e620d85155c0979
SHA1 hash:
84536032b875b73fba422aa519645dfe5f0366fb
Link:
https://www.unpac.me/results/4fcce6ad-4b50-4c47-b7bd-f721a2138942/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/537a68d984e9b974cd9dc6977e0fab23ddc151bcd1010427b274d0895499ac2e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 537a68d984e9b974cd9dc6977e0fab23ddc151bcd1010427b274d0895499ac2e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132169/

Comments