MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61b1619f5d3f4708cb0da8b1fc6b148d7e5352516c3e16fae6faffb503fa413b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61b1619f5d3f4708cb0da8b1fc6b148d7e5352516c3e16fae6faffb503fa413b
SHA3-384 hash: 383c9a28c80aa13c2bf0e8fa0290f978a4fc5c8d08292cb9d2be629e62d0a2f9476efcd4806122d5644ec6fcfd86c082
SHA1 hash: 2465a8f571aa1a3bdd62ad3dfb2bda0965650d9d
MD5 hash: cc467dce812e76164a7e9810ce68d389
humanhash: alaska-speaker-mockingbird-stream
File name:Order PO #5544 TULIP GROUP LLC , PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'178'624 bytes
First seen:2021-04-19 15:39:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:RoJt8Rt0EuNUig9ym+Za0z4TbFKVKiqnbCR4kkqbFxvXdJvNcA1Xq652ptAfDbz+:qJmb9pTb4/nC07XNcKq6wp6Pz+
Threatray 4'702 similar samples on MalwareBazaar
TLSH 8F456CDA66B8AF16F0BD073744AB34C093FEEC43D711C57D6CD124E82E62A91A129F12
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order PO #5544 TULIP GROUP LLC , PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-04-19 16:01:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2ef490f-f6f5-47a8-b7c5-25546101c11e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/138590/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.646-1.UNOFFICIAL
Create hunting rule

Win.Packed.Pwsx-9852718-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/687221
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 392560 Sample: Order PO #5544 TULIP GROUP ... Startdate: 19/04/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 12 other signatures 2->52 10 Order PO #5544 TULIP GROUP LLC , PDF.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\HaUyJYhUmv.exe, PE32 10->32 dropped 34 C:\Users\...\HaUyJYhUmv.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp6B5F.tmp, XML 10->36 dropped 38 Order PO #5544 TUL...P LLC , PDF.exe.log, ASCII 10->38 dropped 62 Injects a PE file into a foreign processes 10->62 14 Order PO #5544 TULIP GROUP LLC , PDF.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 gresiaphysiotherapy.com 166.62.10.227, 49737, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->40 42 www.lfgprima.com 19->42 44 3 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 raserver.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61b1619f5d3f4708cb0da8b1fc6b148d7e5352516c3e16fae6faffb503fa413b/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgywdh25h5dqrsynvcy7y2yurv7fgusrnq7bn6xg7l73ka72ie5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
36e88428927952dcdf23b14cb7d68f6db403c2135cd1ca4d3a5338f4c6a1822e
Formbook
48e99b563e3e2daea132c5da122ad630f6015456ac58d4fe86f9dc65f6a0c943
Formbook
5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079
Formbook
6c2f5bf673b3bbc31cf425259cd5a0262094e85a8bed03714c7b39712efc4beb
Formbook
709b457160612a42a7714a517690760f05b09fb55f61570632500aa14328deec
Formbook
730b276576659ea2bc17aee5e92f2cc5b9aecf9ade5f03816bde0023a783b545
Formbook
9f1090c3e94e75b134c1aa55b5e8e2b6ac9b706cd27e0bb1cc44ef4b49f27c66
Formbook
a8599ed108a38560de3851540edbbf3b83fc87a0f56fb883a24d6fda82b90c8f
Formbook
acbc661362c5c74ea45dec851dc46faf865715f15df064f722d945af8a293563
Formbook
e56fe870da3015a5537b82acf5b9228953cafa74235b5c9257eaf049a6045cc6
Formbook
+ 4'692 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210419-7f1yamaclx/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.anayonbattery.com/ewws/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61b1619f5d3f4708cb0da8b1fc6b148d7e5352516c3e16fae6faffb503fa413b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 0ba05827c110c019ee17f4b83fe0a5254a73d5cd40cc9ee9ce2778f5a8aa0113

Formbook

Executable exe 61b1619f5d3f4708cb0da8b1fc6b148d7e5352516c3e16fae6faffb503fa413b

(this sample)

  
Dropped by
MD5 5743b8603a54d1a1165f8dbd666dddf6
  
Dropped by
SHA256 0ba05827c110c019ee17f4b83fe0a5254a73d5cd40cc9ee9ce2778f5a8aa0113
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/138590/

Comments