MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f4ef06d276fe789cb466752da51d3c1a29ce62aa090a0b96da012f16bb8f29f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f4ef06d276fe789cb466752da51d3c1a29ce62aa090a0b96da012f16bb8f29f
SHA3-384 hash: 89c7ba861004023921b18507432ebdb52fe69899436a7f8eaa0386e344f2d296cdaf7a36df3c16b08e9f9738827d2ffa
SHA1 hash: 9409afebc145ccad689e5e990f4190f88662a240
MD5 hash: d8ce3bb5f304df90bd16cd99f6cfb3a2
humanhash: oxygen-carolina-tennessee-mockingbird
File name:order pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'417'216 bytes
First seen:2020-10-12 06:13:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:YAHnh+eWsN3skA4RV1Hom2KXMmHaNWKnbUDfdqLCg49LRH4Q5mI5:fh+ZkldoPK8YaQFdqZKLRH4Qj
Threatray 787 similar samples on MalwareBazaar
TLSH 8F659E026755E1AFFE9663734E17EA006279A9A04023762EA3DC1EFCE87C47D713E152
Reporter abuse_ch
Tags:exe FormBook geo GRC


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: pl1.azuni.net
Sending IP: 37.26.26.70
From: Spacesonic <info@spacesonic.gr>
Subject: Re: Re: Προτιμολόγιο
Attachment: file.zip (contains "order pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69946/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/488010
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296454 Sample: order pdf.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 92 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Sigma detected: Drops script at startup location 2->34 36 3 other signatures 2->36 6 order pdf.exe 4 2->6         started        9 wscript.exe 1 2->9         started        process3 file4 22 C:\Users\...\PerceptionSimulationInput.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\...\WmiPrvSE.url, MS 6->24 dropped 11 order pdf.exe 6->11         started        13 order pdf.exe 6->13         started        15 order pdf.exe 6->15         started        20 31 other processes 6->20 17 PerceptionSimulationInput.exe 9->17         started        process5 signatures6 26 Antivirus detection for dropped file 17->26 28 Multi AV Scanner detection for dropped file 17->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f4ef06d276fe789cb466752da51d3c1a29ce62aa090a0b96da012f16bb8f29f/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 04:08:47 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5hpa3jhn7tyts2gm5jnuuotygrjzzrkucikbolnuajpc25y6kpq._file
Verdict:
unknown
Similar samples:
0fe59fe4af5d613351337ccb76d881f1f25ddb1f2b804693182bcf15512c2ff9
Formbook
1fbae4f859c40f9446d06e76a4acf496fe0a43fb93b87f87d1077ab8a4490480
Formbook
342c79ff62a16ad618c837f19efa7362a7f06403b5eb405ca667048d90344945
Formbook
6d58c8e531d65f5713f19a8caf7b6ac0f4ce25adf29a3b96aeee7de4045f409a
Formbook
89665680c7172d5514bfc76b77691e5b313f7ff8808bd20d0619937882aaa394
Formbook
8a4e005808be8cb30ec3e12b0e4ccc62cc579a2860268c40ec1f28fb3b278da0
Formbook
b4b073df62d2616baff7c0c48cc6a85e5f5211aa6979fb65ac6e9b328687cec1
Formbook
c23b098a627d1c8449fad6756007c3b2a7ae20c3e70c74bbe4154c8b1651c84e
Formbook
d3dc4b2cf4dcc0e0ba520ab033e94a7725aa8f86c2b05d49fef5e5e1f60b7844
Formbook
e812d2f7858c5971f4f6f56e7449eeaf682863dde440dd903ae93ddaaafa2002
Formbook
+ 777 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-nle6stpybx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Drops startup file
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.militaryhomedecisions.com/m3px/
Unpacked files
SH256 hash:
5f4ef06d276fe789cb466752da51d3c1a29ce62aa090a0b96da012f16bb8f29f
MD5 hash:
d8ce3bb5f304df90bd16cd99f6cfb3a2
SHA1 hash:
9409afebc145ccad689e5e990f4190f88662a240
Link:
https://www.unpac.me/results/73a3021e-708c-4576-b47c-8e1467fdc807/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f4ef06d276fe789cb466752da51d3c1a29ce62aa090a0b96da012f16bb8f29f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 9d8b0decca53e916541a799a5354b7d04247f5bb920ec8ea0adf3935adf8071f

Formbook

Executable exe 5f4ef06d276fe789cb466752da51d3c1a29ce62aa090a0b96da012f16bb8f29f

(this sample)

  
Dropped by
MD5 644ca59265316226892d5b06c81d1608
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69946/
  
Dropped by
SHA256 9d8b0decca53e916541a799a5354b7d04247f5bb920ec8ea0adf3935adf8071f

Comments