MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679
SHA3-384 hash: aa02280c3ff0577535689040a991264604a206b723608696d20fd57da5d2cd610017bf31ef567d54de1a5922c2f51c04
SHA1 hash: b41298071b50de358c8bcc94f62142f8595c0d55
MD5 hash: b60584d1e39e2d6b29c7e2b76f5c3b6d
humanhash: angel-enemy-one-south
File name:REQ670091261.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:238'080 bytes
First seen:2021-01-04 13:20:54 UTC
Last seen:2021-01-09 09:03:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b1b3ba3991adae5132cca39d7f92e40 (2 x FormBook)
ssdeep 3072:hvXzn1A70z++8QnJxUR9mtKjMhy7C2rC00w7sLYe2ZG7BTXlvoqC6Uk1Mj7p9jL1:hvzPz++R/UTjMUCyB0ishZC6U77pB2hO
Threatray 3'291 similar samples on MalwareBazaar
TLSH 2634E12B9371FA3FE8542179660F5372A0921635361024EBE7844FAE332B2CD55B771B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server.allaboutoffice.gr
Sending IP: 94.130.138.183
From: Catia Mancini <c.mancini@crikcrok.it>
Reply-To: Catia Mancini <c.mancini_crik@toke.com>
Subject: ORDINE 04/01
Attachment: ORDINI.zip (contains "REQ670091261.exe")

Intelligence

File Origin
# of uploads :
16
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQ670091261.exe
Verdict:
Malicious activity
Analysis date:
2021-01-04 13:32:26 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/15efbd2c-6093-45dd-a1ea-b982fd7be6d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110401/
Detection(s):
SecuriteInfo.com.Generic.mg.b60584d1e39e2d6b.30069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573371
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335751 Sample: REQ670091261.exe Startdate: 04/01/2021 Architecture: WINDOWS Score: 100 36 www.euroticie.info 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 4 other signatures 2->46 11 REQ670091261.exe 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 REQ670091261.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.broderies-admc.com 156.253.112.249, 49752, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 17->30 32 www.sgtradingusa.com 108.60.15.219, 49749, 80 IN2NET-NETWORKCA Canada 17->32 34 4 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 msiexec.exe 17->21         started        24 autochk.exe 17->24         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-04 13:21:08 UTC
AV detection:
18 of 47 (38.30%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhhihjxvalhi4tlrpi4hx27uevbeuvtovkpiylcket7imsx4cz4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04274b027d3bd09ec0d7b58ff5af64aa06e626668995cb5ef6d7fad939bc6c33
Formbook
073c6184b73bb8ae675774bd64e81e1023f6df992fb763358f9653d980e4b55e
Formbook
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
Formbook
410b12d131a36c0b5be88c52e6ad02a1e50b20c4d80f30de42ea5a260fc92624
Formbook
4701e1d0065893d2d05cc0450f8f435e2644299b1beae3d4dd1a9758514d1d6f
Formbook
5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4
Formbook
80d6f86936cc5e0190138c00ef2a03b2ec8abc19a1b2a7a0b3683e864f4fa982
Formbook
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
Formbook
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
Formbook
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
Formbook
+ 3'281 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210104-w6x8e48jts/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.unitvn.com/krc/
Unpacked files
SH256 hash:
59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679
MD5 hash:
b60584d1e39e2d6b29c7e2b76f5c3b6d
SHA1 hash:
b41298071b50de358c8bcc94f62142f8595c0d55
Link:
https://www.unpac.me/results/2c9a6da1-3e54-4313-884a-8c147b77d6e4/
SH256 hash:
df1a174033123b25388d9e18ffaaee450a1b1823fa0e7b8eb5c7fa72f69edc1f
MD5 hash:
5c748f5122ee2a296257804d58900801
SHA1 hash:
9ef3d9c557b23beceaab5eabcd7e28c4eb7bd9e5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2c9a6da1-3e54-4313-884a-8c147b77d6e4/
Parent samples :
5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4
59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679
4f16f7da4670e165f0f978457775531b15cd2fb4c9e21b0a511eaf2e6771988e
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 9a7e54deb003abf05b923c36f287085bc34f1c462a762714e86fcb0506b1a44c

Formbook

Executable exe 59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679

(this sample)

  
Dropped by
MD5 bc74b596e886ac952e1d1b80584432c8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110401/
  
Dropped by
SHA256 9a7e54deb003abf05b923c36f287085bc34f1c462a762714e86fcb0506b1a44c

Comments