MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
SHA3-384 hash: 0ad188b3474c29554e34a621e3a13acba2b62771372c6fceb6d420ed54785a6e3eb61b6d7f0d6c5caf7efd09c4524637
SHA1 hash: dc12198582e5f3ade52a23298720726ff09567d1
MD5 hash: 499829de5ca971cd127b29b207761b4c
humanhash: chicken-jig-bulldog-item
File name:order no. 3643.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:706'048 bytes
First seen:2021-01-07 14:01:23 UTC
Last seen:2021-01-07 15:31:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:BISzMKVCgLtJ79MESPWGndaGfBwyyYlb1zx03x4zYRVuUU:5zMyp8rJpwyNllu3EYRVuU
Threatray 3'339 similar samples on MalwareBazaar
TLSH FDE4BE37A3177B95E03D63B894250041A3F1EC8ED366D67F3EDA70D900BAB5006BA936
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: Valentina Barbin <Barbin@coimtra.cam>
Subject: Re: R: R: new order no. 3643
Attachment: order no. 3643.rar (contains "order no. 3643.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order no. 3643.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 14:09:54 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/aeffc1e5-ab32-4b1b-bc11-06934ac62366

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110831/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36029288.24887.29415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/575916
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337015 Sample: order no. 3643.exe Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 10 order no. 3643.exe 7 2->10         started        process3 file4 31 C:\Users\user\AppData\...\hrlnwqNYATwZO.exe, PE32 10->31 dropped 33 C:\...\hrlnwqNYATwZO.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\Temp\tmpECD.tmp, XML 10->35 dropped 37 C:\Users\user\...\order no. 3643.exe.log, ASCII 10->37 dropped 13 order no. 3643.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process7 dnsIp8 39 www.promotionalplacements.com 91.195.240.94, 49736, 49761, 80 SEDO-ASDE Germany 18->39 41 www.photomaker.pro 185.107.56.197, 49743, 80 NFORCENL Netherlands 18->41 43 19 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 24 systray.exe 18->24         started        signatures9 process10 signatures11 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 09:26:36 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kznd7qt57nlaogwp2humjexlhpwlwwd7afttkobu5f6dqgomcm3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19c9fa542614e9ef3326b05f129328c3e306245cdebe51e233c5e20837321321
Formbook
2aa665f0e5882a0e39144ac01582c1983334cae0d53a96d5a9184ff2e3baff20
Formbook
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
Formbook
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
Formbook
bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833
Formbook
c640be1855da7860bc3959d7d012b2d400af5c38e79d05a27639a867a37ac1f0
Formbook
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'329 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210107-4hm19klfse/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
MD5 hash:
499829de5ca971cd127b29b207761b4c
SHA1 hash:
dc12198582e5f3ade52a23298720726ff09567d1
Link:
https://www.unpac.me/results/392d9e3a-ed44-45b4-a63c-8206e081f311/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/392d9e3a-ed44-45b4-a63c-8206e081f311/
SH256 hash:
b7498fe951ea64e95810f56f5c28bebc6a1a86b0b07c42a7367e8367d20b33dc
MD5 hash:
9ef385702fd82721072176636c0c555d
SHA1 hash:
d63afd88b37bff8474d675dea81caa9a1ea520f5
Link:
https://www.unpac.me/results/392d9e3a-ed44-45b4-a63c-8206e081f311/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/392d9e3a-ed44-45b4-a63c-8206e081f311/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 29b20ca0034a568f908c15ae5fcf4accfa855c71f424e472f0075c5953903594

Formbook

Executable exe 565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337

(this sample)

  
Dropped by
MD5 293d349edcdfbbbf85201cba3a55ca1b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 29b20ca0034a568f908c15ae5fcf4accfa855c71f424e472f0075c5953903594
Cape
Cape
https://www.capesandbox.com/analysis/110831/

Comments