MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
SHA3-384 hash: f1fb0901a31fcf59b7fe643b22fc97760a32a812ac90fbfcc17c0ced5f8129292e62b74aa17036ebb0aeb9a8bde4ed76
SHA1 hash: 99bdd8760719b02b709a916bc28aef90f1259259
MD5 hash: 752748fc175796cb0c465dfab1462a42
humanhash: mountain-ten-golf-nebraska
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:868'352 bytes
First seen:2020-10-27 13:06:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cd6c8cceda8b0e47cf64c5128fde3f69 (17 x Loki, 9 x NanoCore, 8 x AsyncRAT)
ssdeep 12288:TIKenPD03PxOFGbj8+jazgSNBfFSl2lnlCmAYcddxkLiyR+oBwnIlXI:TdqOxsk2r38ulhAYcddyDnBwn+Y
Threatray 2'742 similar samples on MalwareBazaar
TLSH C105AF2EB2A14833CD731938DD1B5764A836BE112D29798E2BF71C485F7969D38293C3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: services.mailserver.ae
Sending IP: 74.124.219.187
From: SUNLINE <yousif.alsharif@ysalc.ae>
Subject: RE: Payment Confirmation
Attachment: SOA.gz (contains "SOA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79935/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513644
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305958 Sample: SOA.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 68 www.excitet.com 2->68 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected FormBook 2->92 94 3 other signatures 2->94 15 SOA.exe 2->15         started        signatures3 process4 signatures5 120 Detected unpacking (changes PE section rights) 15->120 122 Maps a DLL or memory area into another process 15->122 124 Tries to detect virtualization through RDTSC time measurements 15->124 126 Contains functionality to detect sleep reduction / modifications 15->126 18 SOA.exe 15->18         started        20 SOA.exe 15->20         started        process6 signatures7 23 SOA.exe 18->23         started        96 Modifies the context of a thread in another process (thread injection) 20->96 98 Maps a DLL or memory area into another process 20->98 100 Sample uses process hollowing technique 20->100 102 Queues an APC in another process (thread injection) 20->102 26 explorer.exe 20->26 injected process8 dnsIp9 106 Maps a DLL or memory area into another process 23->106 29 SOA.exe 23->29         started        31 SOA.exe 23->31         started        70 www.jur03.com 23.107.38.13, 49753, 80 LEASEWEB-USA-LAX-11US United States 26->70 72 www.takatoraq.com 118.27.99.25, 49765, 80 INTERQGMOInternetIncJP Japan 26->72 74 www.tallereshoonigan.com 26->74 108 System process connects to network (likely due to code injection or exploit) 26->108 34 help.exe 26->34         started        36 raserver.exe 26->36         started        38 control.exe 26->38         started        40 3 other processes 26->40 signatures10 process11 signatures12 42 SOA.exe 29->42         started        128 Sample uses process hollowing technique 31->128 130 Modifies the context of a thread in another process (thread injection) 34->130 132 Maps a DLL or memory area into another process 34->132 134 Tries to detect virtualization through RDTSC time measurements 34->134 45 cmd.exe 1 34->45         started        process13 signatures14 110 Maps a DLL or memory area into another process 42->110 47 SOA.exe 42->47         started        49 SOA.exe 42->49         started        52 conhost.exe 45->52         started        process15 signatures16 54 SOA.exe 47->54         started        76 Modifies the context of a thread in another process (thread injection) 49->76 78 Maps a DLL or memory area into another process 49->78 80 Sample uses process hollowing technique 49->80 process17 signatures18 104 Maps a DLL or memory area into another process 54->104 57 SOA.exe 54->57         started        59 SOA.exe 54->59         started        process19 signatures20 62 SOA.exe 57->62         started        112 Modifies the context of a thread in another process (thread injection) 59->112 114 Maps a DLL or memory area into another process 59->114 116 Sample uses process hollowing technique 59->116 process21 signatures22 118 Maps a DLL or memory area into another process 62->118 65 SOA.exe 62->65         started        process23 signatures24 82 Modifies the context of a thread in another process (thread injection) 65->82 84 Maps a DLL or memory area into another process 65->84 86 Sample uses process hollowing technique 65->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 08:27:54 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lur7vicsldvvdmmw73qaey64lzcvni3tahjrevryiot2zbeu5ymq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
176b6a4f321a046262569c7e6302f9cd734282399645f8b13538489f5183a617
Formbook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
Formbook
5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
Formbook
74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
911fec402f3bb42d731c4e177c322c0df8d79f680e5a18f538a3ff2e3086c2bf
Formbook
bfae046475f1458c460cf4eed534a48c8e769fbfc622138170c3945a4ad61a90
Formbook
ef4c04da2b5fe6ce33597d1dbe44a8b84b156cb1bd03b3a3f8d8c9dabede075b
Formbook
f071c302252202ae71dd004191dad662307c670d95b53b7c0f5d0c8c039e9e7b
Formbook
+ 2'732 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201027-fl4ey2j79x/
Behaviour
Enumerates system info in registry
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.strongorganiccoffee.com/e9m/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 8f9f7c1b25fdc44fe44cd0ed39b10bfa66bf9ca2019edb64ddefb2a6f2813bfd

Formbook

Executable exe 5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19

(this sample)

  
Dropped by
MD5 79607766d46079cc215f02d99f93b1c1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8f9f7c1b25fdc44fe44cd0ed39b10bfa66bf9ca2019edb64ddefb2a6f2813bfd
Cape
Cape
https://www.capesandbox.com/analysis/79935/

Comments