MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f474b40c8bd056549cbf8b574f80bf8198d53f29bdb3ee5eb21db0700b71f7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f474b40c8bd056549cbf8b574f80bf8198d53f29bdb3ee5eb21db0700b71f7c
SHA3-384 hash: 8a1a82d5a954e7565904556bf244112fff29c2dd830add6ca8261ab2c2d05025541c79303a600d66e3db0b57a9eae520
SHA1 hash: bd9ca55653edda3cd9948b36598271fb89ac5f72
MD5 hash: 353b88ef182a879a18111d827df5f10c
humanhash: apart-pizza-pennsylvania-seven
File name:Order of CB-15GL PO530_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:392'704 bytes
First seen:2021-10-26 12:34:11 UTC
Last seen:2021-10-26 12:34:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:0DjW304b7lKG5GGW3zDUCeJ0h3DBE4AZ/EU9eFyZebHVpF4Dae:0XatAcuh3FbK9eFyZenF4Dae
TLSH T1B184DF8C3A94B2DFC917CD7699981C24F6606477530BD347B15322ADAA0EAABCF051F3
Reporter pr0xylife
Tags:exe FormBook xloader

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200203/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.11886.30957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6177f5f8db358dd15edc7f19/reports/d9a35098-b0ee-41c9-bcf3-2559da5a9f05/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f5cecce-86d4-4828-bd88-49971ad4b5b5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/876999
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 509431 Sample: Order of CB-15GL PO530_pdf.exe Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 33 www.anthologyofenglishpoems.info 2->33 35 anthologyofenglishpoems.info 2->35 37 www.zidami.com 2->37 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 10 other signatures 2->51 11 Order of CB-15GL PO530_pdf.exe 3 2->11         started        signatures3 process4 file5 31 C:\...\Order of CB-15GL PO530_pdf.exe.log, ASCII 11->31 dropped 63 Injects a PE file into a foreign processes 11->63 15 Order of CB-15GL PO530_pdf.exe 11->15         started        18 Order of CB-15GL PO530_pdf.exe 11->18         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 15->20 injected process9 dnsIp10 39 callofdutytool.xyz 162.0.232.63, 49835, 80 NAMECHEAP-NETUS Canada 20->39 41 dosana.online 81.2.194.128, 49832, 80 INTERNET-CZKtis238403KtisCZ Czech Republic 20->41 43 11 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 55 Performs DNS queries to domains with low reputation 20->55 24 msiexec.exe 20->24         started        signatures11 process12 signatures13 57 Self deletion via cmd delete 24->57 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f474b40c8bd056549cbf8b574f80bf8198d53f29bdb3ee5eb21db0700b71f7c/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 12:35:08 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5duwqgixucwksol7c2xj6al7amy2u7stpnt5zplehnqoafxd56a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211026-pse1tahde6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
44dc9d6f823a9255a9c3d06904e060419cf2624421bfd17958d5eb5f7bff8a2b
MD5 hash:
5c602081b03b7914a6661a465077e0ff
SHA1 hash:
0aa0701156dfaf0c86b58a82a657050c7cdf4843
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/10247592-7c30-4714-976c-a6d86b5b10bc/
Parent samples :
4e9cb6e83b7ea6e353bafe82262c6b1c1de8a5fb5517fa8bd8bd80b353ca472d
5f474b40c8bd056549cbf8b574f80bf8198d53f29bdb3ee5eb21db0700b71f7c
SH256 hash:
77ac66b32ab70a514e36d9c093f94a2b7a0ded8e9b049578736df261aec2cab3
MD5 hash:
6e7c9fb3d76b6f5909a2ef4cfd709e5c
SHA1 hash:
d5c07a206c3bcf9b7d5bd3a8a9039e06bbf18fee
Link:
https://www.unpac.me/results/10247592-7c30-4714-976c-a6d86b5b10bc/
SH256 hash:
a5c2baaf64d2f20666f5d02876e9f5b59d8ec5c538ee82f1711d9d0db3f189e0
MD5 hash:
8ecd3b39d0778503439b9e9dd0475b2d
SHA1 hash:
249f0f11920286ba191592bfaf13a2c0d7cc7ca6
Link:
https://www.unpac.me/results/10247592-7c30-4714-976c-a6d86b5b10bc/
SH256 hash:
5f474b40c8bd056549cbf8b574f80bf8198d53f29bdb3ee5eb21db0700b71f7c
MD5 hash:
353b88ef182a879a18111d827df5f10c
SHA1 hash:
bd9ca55653edda3cd9948b36598271fb89ac5f72
Link:
https://www.unpac.me/results/10247592-7c30-4714-976c-a6d86b5b10bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5f474b40c8bd056549cbf8b574f80bf8198d53f29bdb3ee5eb21db0700b71f7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200203/

Comments