MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683
SHA3-384 hash: 8473506145a6158ddc18fc26b8fc1589760de494bdf0ae00074c09dffbb488c65a0291ea79b41a4343210e35cff450aa
SHA1 hash: 731654c50c34128c6bb3ba364df8956f0ac2eaad
MD5 hash: 362687a54abd379a65caadfb6d8d079d
humanhash: river-quiet-oranges-west
File name:PO#4018308875.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'386'496 bytes
First seen:2021-02-08 15:53:39 UTC
Last seen:2021-02-08 18:03:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:+7jUCi09b7avBulXFr/p1tTYI10agbIol6k8x:+7wt0d7aUFTdaayxl6k
Threatray 22 similar samples on MalwareBazaar
TLSH E455DF667740DB61C264BB3BCA56911D13F1EDCB8B22F2477F883FEA68321416E2E505
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P.O.#4018-308875.rar
Verdict:
Malicious activity
Analysis date:
2021-02-08 12:41:22 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e414c436-bb56-43fd-a047-0f8537d0c109

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116076/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.11520.29748.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602012
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350023 Sample: PO#4018308875.pdf.exe Startdate: 08/02/2021 Architecture: WINDOWS Score: 100 50 www.dhika.net 2->50 52 pltraffic7.com 2->52 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 6 other signatures 2->76 12 PO#4018308875.pdf.exe 15 7 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\ghhbhugjhg.exe, PE32 12->40 dropped 42 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 12->42 dropped 44 C:\Users\...\ghhbhugjhg.exe:Zone.Identifier, ASCII 12->44 dropped 46 C:\Users\user\...\PO#4018308875.pdf.exe.log, ASCII 12->46 dropped 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->86 16 ghhbhugjhg.exe 14 3 12->16         started        20 cmd.exe 1 12->20         started        signatures6 process7 dnsIp8 48 192.168.2.1 unknown unknown 16->48 56 Multi AV Scanner detection for dropped file 16->56 58 Writes to foreign memory regions 16->58 60 Allocates memory in foreign processes 16->60 62 2 other signatures 16->62 22 AddInProcess32.exe 16->22         started        25 conhost.exe 20->25         started        27 reg.exe 1 1 20->27         started        signatures9 process10 signatures11 78 Modifies the context of a thread in another process (thread injection) 22->78 80 Maps a DLL or memory area into another process 22->80 82 Sample uses process hollowing technique 22->82 84 2 other signatures 22->84 29 explorer.exe 22->29 injected process12 dnsIp13 54 www.theloveandsexnews.com 74.208.236.233, 49753, 80 ONEANDONE-ASBrauerstrasse48DE United States 29->54 88 System process connects to network (likely due to code injection or exploit) 29->88 33 wlanext.exe 29->33         started        signatures14 process15 signatures16 64 Modifies the context of a thread in another process (thread injection) 33->64 66 Maps a DLL or memory area into another process 33->66 68 Tries to detect virtualization through RDTSC time measurements 33->68 36 cmd.exe 1 33->36         started        process17 process18 38 conhost.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 00:36:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lo66h5ow3n7txy3pj4hqrsdp2qjkdrqilrn6iof6p4pj4ga6g2bq._file
Verdict:
unknown
Similar samples:
1fc0f9704d3d6d03c8df4559dc784ebd7c1e2a38db56daf79297a3ab48e840b2
Formbook
581d4ba63e52707e1839c7d2c026c847d788b8b3025046bdb491f95a431ca1f7
Formbook
5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa
Formbook
72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f
Formbook
bbd91445baa27c316821c545a5aef3079d7bed7beac77de667f88d1617439215
Formbook
c7df51c40f5e04eeb7dac698fdf23964ad7bc16a7dd93fb47ea8dc6f8ea6cfd4
Formbook
d09722da6fd4b8eb8ba3ee4d8e8a7ffe2cd396c410fa074bcb9fd0b44e399cb9
Formbook
d7b0f275997cb07e5a97600fb21eb19d14096352af7990797f863b74941a1603
Formbook
f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b
Formbook
f5aa4fe1049ed94dbf22ad1427013a30762ebd9ac2a89726f9f313b087e2a4a0
Formbook
+ 12 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/210208-4mwnf6pkgn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fjkdjkjkejkfer.com/pcn/
Unpacked files
SH256 hash:
5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683
MD5 hash:
362687a54abd379a65caadfb6d8d079d
SHA1 hash:
731654c50c34128c6bb3ba364df8956f0ac2eaad
Link:
https://www.unpac.me/results/243494e8-60ab-46eb-9e39-b4f2e3563942/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/5bbde3f5d6db7f3be36f4f0f08c86fd412a1c6085c5be438be7f1e9e181e3683

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/116076/

Comments