MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
SHA3-384 hash: a7c9bc5186f230e2337c85cb648962e16805c6e1c7656088f7e2055b11c8714506282753deccec3bfa87fbddc4f87daf
SHA1 hash: e3fc0973898eee9723b7b92828ffbbafaa0b5456
MD5 hash: 3cd76d38ad07c345862b07d90186851e
humanhash: purple-orange-eight-helium
File name:PO5411.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:518'656 bytes
First seen:2021-04-12 06:14:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:9MGTkPvCLhm6nDabAKCcXjcgMuwS2T8Xo2i10Ol/:iGAP+hnDCAKbjxFWgXh
Threatray 64 similar samples on MalwareBazaar
TLSH 2CB4121BF623D8DCEE5331BA6AB69D221F21746B9426594C108DB3257E53323406BEF3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: tenda.cn
Sending IP: 58.250.161.62
From: marketing@tenda.cn <marketing@tenda.cn>
Subject: RFQ 541120421
Attachment: RFQ 541120421.pdf.IMG (contains "PO5411.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO5411.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-12 06:31:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4267f5a3-96a9-49e0-b08b-d96ea3e87b72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133646/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.15820.12083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672537
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385218 Sample: PO5411.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 39 www.volmaqhsogroup.com 2->39 41 www.013y.com 2->41 43 2 other IPs or domains 2->43 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 7 other signatures 2->53 11 PO5411.exe 5 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\PO5411.exe, PE32 11->33 dropped 35 C:\Users\user\...\PO5411.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\...\PO5411.exe.log, ASCII 11->37 dropped 63 Writes to foreign memory regions 11->63 65 Allocates memory in foreign processes 11->65 67 Adds a directory exclusion to Windows Defender 11->67 69 Injects a PE file into a foreign processes 11->69 15 PO5411.exe 11->15         started        18 powershell.exe 26 11->18         started        signatures6 process7 signatures8 71 Multi AV Scanner detection for dropped file 15->71 73 Machine Learning detection for dropped file 15->73 75 Modifies the context of a thread in another process (thread injection) 15->75 77 4 other signatures 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 45 www.movementinspires.com 104.21.21.198, 49765, 80 CLOUDFLARENETUS United States 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 26 cmd.exe 20->26         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 06:15:19 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcdjfem2oupjquwpglqldwscynd7f74zukx5en4mnj2xhv5fgl6a._file
Verdict:
malicious
Similar samples:
0a48c61922cd5b6f13258f87eb9616f9a6b4a69ceb0904bcdd548edb97a81de6
Formbook
0f9626653c8358d4e8315b97feafe2ed604ff67a9a159d47219685b2e15c1665
Formbook
1cef46cbb22cfda50b0e93dadedfb09f511b80e802d239270c96954a38d11f28
Formbook
25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f
Formbook
25dd98cbd230e272bb55aaf5acd0f6cb0e8ec897ec5c0684b5308a0022af175f
Formbook
4de20c38ffff3f9d75d9a446f152c017d9010477c28c8b97875f95f448ecb761
Formbook
bf5d5c28bec7bdcf41fad771fd465ba6bb9a56e053c9470a6e10293466109d3c
Formbook
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
Formbook
f508afb3a24ea2a3865ef48de1c0f2886ac26641ea6c517c727041e11a15e886
Formbook
fb6927aca249593b3eb31de8d4a2f2c107ea9afd685b025fdd115b1fc1f11ec8
Formbook
+ 54 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210412-n7xmwnlz8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.013y.com/pnqr/
Unpacked files
SH256 hash:
bbebe4d2fc47d32e1610606325f585bfd06242c9c053f5fbf5e8b010fdb704fc
MD5 hash:
e7381f72af61b921c8263e38103d541f
SHA1 hash:
491ac115099c0708c3736caa9ca3736bd01365df
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/49052003-3805-43dc-8780-505995eafc18/
Parent samples :
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
22a55428924660414d27fb24fad8b1ab4319141dee2dad855d03a091f1d7c2ba
SH256 hash:
187dd81d4812a411feb5aea415f6a564e2ad413cebe16ed31111127dcfd58ea3
MD5 hash:
ae8a7a0d4245a926d7e2430fd07e17c0
SHA1 hash:
ec529beba1b18930e8605accf5809a4f5a6b8267
Link:
https://www.unpac.me/results/49052003-3805-43dc-8780-505995eafc18/
SH256 hash:
fa102cb2a62e6b84e69823a17f7220202d5ca78d06f6e84e1cae01a4de43cd58
MD5 hash:
62d6db680ee510f21084f5adfb1963cb
SHA1 hash:
d91bd0caf1e91aef8c23194546b6022edcd9fdfc
Link:
https://www.unpac.me/results/49052003-3805-43dc-8780-505995eafc18/
SH256 hash:
a9683c3db7843d65a50a045ba1ce7375b379521c8e5c9787c27d6505d1385ead
MD5 hash:
5429587fd4cfeb5b3a48201912d8fbfa
SHA1 hash:
9112103527efc80e80d322a6747e1c05bb8631f9
Link:
https://www.unpac.me/results/49052003-3805-43dc-8780-505995eafc18/
SH256 hash:
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
MD5 hash:
3cd76d38ad07c345862b07d90186851e
SHA1 hash:
e3fc0973898eee9723b7b92828ffbbafaa0b5456
Link:
https://www.unpac.me/results/49052003-3805-43dc-8780-505995eafc18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 94428a043bf7444907313b0aaacedd245ca1a753db2fd0c268037f59c6d93002

Formbook

Executable exe 588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc

(this sample)

  
Dropped by
MD5 75d9448f6884550dca51581765dce439
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133646/
  
Dropped by
SHA256 94428a043bf7444907313b0aaacedd245ca1a753db2fd0c268037f59c6d93002

Comments