MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865
SHA3-384 hash: 6e8b79b95ec7900f1d390f608603512323b1e079b8d37dd46fafd6e4fb3aa4bd221f75fa37695c9c45d0ed5e7a6c57fa
SHA1 hash: 659e95486b2bb37aa51fc95df59eaaf78770db21
MD5 hash: fd4bce1f42bfa9845aabc5d0256bef3f
humanhash: butter-idaho-oscar-stairway
File name:Shipment Document-REF-INV_Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:736'256 bytes
First seen:2021-02-02 14:52:26 UTC
Last seen:2021-02-02 16:57:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:2hBpCHaZi970BOauHW2sChhltlxf456Er9jjItw0LrJUKKdG0y8lWXK3kuPTrIFW:4pCHaZ/X2hhbi5HoTLr2o0HlW
Threatray 5'545 similar samples on MalwareBazaar
TLSH 4DF48CAC7660B5DFC857C8728EA46C64EA64B47B570FC203902316EDAE0D99BDF140F2
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment Document-REF-INV_Pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-02 14:57:35 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/f520a6d6-2360-464f-a95e-6d20862744ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115166/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6924.26041.23786.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/596774
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 347422 Sample: Shipment Document-REF-INV_Pdf.exe Startdate: 02/02/2021 Architecture: WINDOWS Score: 100 37 www.sundialandpanel.com 2->37 39 www.laytikes.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 12 other signatures 2->53 11 Shipment Document-REF-INV_Pdf.exe 3 2->11         started        signatures3 process4 file5 35 C:\...\Shipment Document-REF-INV_Pdf.exe.log, ASCII 11->35 dropped 57 Injects a PE file into a foreign processes 11->57 15 Shipment Document-REF-INV_Pdf.exe 11->15         started        18 Shipment Document-REF-INV_Pdf.exe 11->18         started        20 Shipment Document-REF-INV_Pdf.exe 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 24 explorer.exe 15->24 injected process9 dnsIp10 41 www.lojachicco.com 154.216.246.235, 49734, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 24->41 43 komgo.net 34.102.136.180, 49736, 80 GOOGLEUS United States 24->43 45 4 other IPs or domains 24->45 55 System process connects to network (likely due to code injection or exploit) 24->55 28 explorer.exe 24->28         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 28->59 61 Maps a DLL or memory area into another process 28->61 63 Tries to detect virtualization through RDTSC time measurements 28->63 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-02-02 10:16:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 29 (62.07%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=llqhsoluld4tfxaqz6fz5gxpaiatcfzofigx362dauh7clvytbsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25cd952df9c74033229ec91a5da330e392390ca6120db46d9ab21d3120c9011c
Formbook
5844c46897bed7fe14055a67a96610d8f81d68af270d698a600bb234bf813653
Formbook
628367b1e0868b53f1b97ce577a9eeeb1da2ec1e13b60cd9a4a01fad15d5fcef
Formbook
7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5
Formbook
82bce2eb0b0f2675b0ac41f33e8018bad765caeb084cfe7a6035fc4d9ea8f7ec
Formbook
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
Formbook
c6032b688e56699830e9adc1007f9bc01760e67b1e6a6ae16dd1045fae0ca598
Formbook
cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167
Formbook
cf63918e0cb789a778c7eac7c1b5d896db35caa3fa9fd179b95a4101f5856af7
Formbook
fc4a97c809b221101e5bd66497e1c058c8b33913c336a74183c7d7f7caedc803
Formbook
+ 5'535 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210202-b6q67aeh46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.workonlinetimallen.com/dll/
Unpacked files
SH256 hash:
27169ffd7443797c58d4fa71f1d3fcf6ef963752c9f086ae33f1061a2a9ef09f
MD5 hash:
ac2e021db43af46a6f45f6f844e5171e
SHA1 hash:
82b1053795d5eda0e48e7a0555f1c89f86fe2ba1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b4f55f1-508f-4b45-a0e5-09356c17e9b3/
Parent samples :
7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5
82bce2eb0b0f2675b0ac41f33e8018bad765caeb084cfe7a6035fc4d9ea8f7ec
628367b1e0868b53f1b97ce577a9eeeb1da2ec1e13b60cd9a4a01fad15d5fcef
cf63918e0cb789a778c7eac7c1b5d896db35caa3fa9fd179b95a4101f5856af7
5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865
23b82d55e4e538292a0f0b0b3e05fb2dd6405b9f001110cb212f20f838f191ff
SH256 hash:
fec081ce4c7e335a4958bc768e6365fa29d8205ead247269220b8c0c6a73981f
MD5 hash:
f46a8cad49debe3102558c84deed3456
SHA1 hash:
d93074b012d55aabb54c132808e6e97be9562cfd
Link:
https://www.unpac.me/results/3b4f55f1-508f-4b45-a0e5-09356c17e9b3/
SH256 hash:
615d7d1d685b93fed132a0c85e53a16bf773bd65bf7ad0f73f9e499fce00113b
MD5 hash:
a0633848a2a3398a4ab498af250df5b9
SHA1 hash:
0942a431e75f973725fdb1bb37eb0b99743c1240
Link:
https://www.unpac.me/results/3b4f55f1-508f-4b45-a0e5-09356c17e9b3/
SH256 hash:
5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865
MD5 hash:
fd4bce1f42bfa9845aabc5d0256bef3f
SHA1 hash:
659e95486b2bb37aa51fc95df59eaaf78770db21
Link:
https://www.unpac.me/results/3b4f55f1-508f-4b45-a0e5-09356c17e9b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/115166/

Comments