MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
SHA3-384 hash: ce013ac82eeabcd28e6a2095b77feb6406b5571fc8ed430a0c2fa13f10b02e242d00dc4d912835dd5859606544a7514f
SHA1 hash: 222717dfcb2422e16fb621287ddbbe09d2a5e70e
MD5 hash: 582092a9a8e594881d809a7d544be349
humanhash: ten-grey-king-failed
File name:QUOTATION REQUEST TW200292 PO#06112020IMP.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:670'208 bytes
First seen:2020-11-07 10:11:02 UTC
Last seen:2020-11-13 16:09:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ipzYUl6El6YyLGgYjuyuEwteuCZUvfc7cbC4iXOm4S2S:kzYUNIYyCuy03cIb/iXOmI
Threatray 2'882 similar samples on MalwareBazaar
TLSH 21E4AEA1E7684A65E43A633C6033581027F3F866EB61D90E3EDDF19D5E72B4149F2A03
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.85xainji.com
Sending IP: 45.145.185.142
From: Abdelrahman FAYAD <export02@manuelsupermarket.com>
Subject: RFQ YXA0382
Attachment: PO06112020IMP.lzh (contains "QUOTATION REQUEST TW200292 PO#06112020IMP.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.4755.9507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523745
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310967 Sample: QUOTATION REQUEST TW200292 ... Startdate: 07/11/2020 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected AntiVM_3 2->44 46 7 other signatures 2->46 10 QUOTATION REQUEST TW200292 PO#06112020IMP.exe 3 2->10         started        process3 file4 32 QUOTATION REQUEST ...06112020IMP.exe.log, ASCII 10->32 dropped 56 Injects a PE file into a foreign processes 10->56 14 QUOTATION REQUEST TW200292 PO#06112020IMP.exe 10->14         started        17 QUOTATION REQUEST TW200292 PO#06112020IMP.exe 10->17         started        19 QUOTATION REQUEST TW200292 PO#06112020IMP.exe 10->19         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Queues an APC in another process (thread injection) 14->62 21 explorer.exe 14->21 injected process8 dnsIp9 34 www.oyama-kenkou.com 163.44.185.216, 49733, 80 INTERQGMOInternetIncJP Japan 21->34 36 www.grovergutters.com 156.224.237.165, 49730, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 21->36 38 www.wwwsouthernsavers.com 199.59.242.153, 49732, 80 BODIS-NJUS United States 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 25 NETSTAT.EXE 21->25         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 25->50 52 Maps a DLL or memory area into another process 25->52 54 Tries to detect virtualization through RDTSC time measurements 25->54 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 19:31:58 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqosfco6lmzymif3ipw6rhlnpl6pq3ge2kza3m5d6ihfk6pjex7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
288e38a633a49c3a30c842250ef331f22201b2acee124e9b108d498b28cb2ba3
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3
Formbook
5038f7f49d3052a244db8019146b11b139d09d867205416ee70df3d97f065a28
Formbook
718d659864d771ebadf82d8b5461d39c2bd6bd514ea2d2273d2821a23ab28ed0
Formbook
77707d4b60a7193c8c7e93d9c97dcd89513ef4ce1c8e19aa6780920c09e03c27
Formbook
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
Formbook
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
Formbook
ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224
Formbook
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
Formbook
+ 2'872 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201107-7sfra14x72/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.oyama-kenkou.com/slk/
Unpacked files
SH256 hash:
5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
MD5 hash:
582092a9a8e594881d809a7d544be349
SHA1 hash:
222717dfcb2422e16fb621287ddbbe09d2a5e70e
Link:
https://www.unpac.me/results/1972bbbd-7ab1-4d21-ab2b-c29da9b534dc/
SH256 hash:
d820a74e5c6f12d59b5f0f166c7ef7efb226272dfce17b617fd9b5e74f8199cb
MD5 hash:
3cb00b36456a3025af41d014d574ac84
SHA1 hash:
530cfeef47ce2ba4155e9517bc92f21cfccb6ff7
Link:
https://www.unpac.me/results/1972bbbd-7ab1-4d21-ab2b-c29da9b534dc/
SH256 hash:
037fa2923372b5b45db54fd2db5a9da61be7d96e9d507067bba3875e53717110
MD5 hash:
e79ff4a83bddb703ac8a67d3701d2d6f
SHA1 hash:
cfc4e8137035132742c7486771eb454d7964ea59
Link:
https://www.unpac.me/results/1972bbbd-7ab1-4d21-ab2b-c29da9b534dc/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/1972bbbd-7ab1-4d21-ab2b-c29da9b534dc/
SH256 hash:
3823ca0abd8ec63439f4b634afbedcf5cedc27e5841df5c782058d1ca6705541
MD5 hash:
cf30264b2cbf3ff81dc38a49d3af4ec2
SHA1 hash:
3b27e0fcfe070135001486b62091c5450853a9d5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1972bbbd-7ab1-4d21-ab2b-c29da9b534dc/
Parent samples :
5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
106bdb692ef4339fa57776464369fd2cfcce28c4bb894ec4c46b895225be8846
82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2
147e9dd9e7041f06f197d3a50fee8a9e029f545f3a4c443cbdb54c176f2d4bd5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT32_KerrDown
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar ac300f254e53873d1ea8734a2279d724451e429c07e54b8702e7a7b85d5b1f1c

Formbook

Executable exe 5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe

(this sample)

  
Dropped by
MD5 900c11078272353dab81b45c9b13caaa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ac300f254e53873d1ea8734a2279d724451e429c07e54b8702e7a7b85d5b1f1c

Comments