MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6301f339599408263704cb0ff4402bd9109b40871e19440f97332b5c41cfd1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6301f339599408263704cb0ff4402bd9109b40871e19440f97332b5c41cfd1fd
SHA3-384 hash: 5de8893d68477b2dbab771a2bfd19392eff052cee419d1f3e9d8d31e1d4e1ca0db67842dc8af854c1f64a29e3beab3b0
SHA1 hash: 3d317ed4a19ce57aa633d0d73a236d0cb919ee16
MD5 hash: cae21380d144dce339ef0589c2b93b17
humanhash: football-pluto-ack-kilo
File name:ACEPAC INTERNATIONAL - PRODUCTS LIST.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:882'688 bytes
First seen:2021-04-01 07:25:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4Eg8vsSj/Lyx1frqrP2KSZAmPfRKV43liNMGeXT:4K/LgxrqqKPmPcVmlt
Threatray 4'471 similar samples on MalwareBazaar
TLSH D815AE273E45BE79D7B8577F0850610417F4AC1AE3E5E20A3C2DF29C9D79EC28662782
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: srv.turkishacoustic.com.tr
Sending IP: 109.232.221.141
From: "Andy Tan" <andy.tan@acepac.com.sg>
Subject: ACEPAC INTERNATIONAL - REQUEST FOR QUOTATIONS
Attachment: ACEPAC INTERNATIONAL - PRODUCTS LIST.rar (contains "ACEPAC INTERNATIONAL - PRODUCTS LIST.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ACEPAC INTERNATIONAL - PRODUCTS LIST.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 07:45:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ae66a25-cd27-4a0e-8736-80a31a9816f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/130516/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.576-3.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661863
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379866 Sample: ACEPAC INTERNATIONAL - PROD... Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 9 other signatures 2->43 10 ACEPAC INTERNATIONAL - PRODUCTS LIST.exe 3 2->10         started        process3 file4 27 ACEPAC INTERNATION...ODUCTS LIST.exe.log, ASCII 10->27 dropped 13 ACEPAC INTERNATIONAL - PRODUCTS LIST.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.awdsoftware.com 154.210.19.54, 49735, 80 VPSQUANUS Seychelles 16->29 31 insuranceforgrass.com 184.168.131.241, 49734, 80 AS-26496-GO-DADDY-COM-LLCUS United States 16->31 33 3 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 cmd.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6301f339599408263704cb0ff4402bd9109b40871e19440f97332b5c41cfd1fd/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 00:07:56 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mma7gokzsqecmnyezmh7iqbl3eijwqehdymuid4xgmvvyqop2h6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10d80e3275154e9e39e98d3622a7af4f98a5fd1f0a073839d9e8d670cbd5d3e6
Formbook
17bb7657e5e89ebadc0d65b4dbb539c2ce5a9b3ea834db2da17ce427d5ef0670
Formbook
7e0c1f10cfd225b16e83ecf7bc37a782441b8a96225fff827572bc3a81421bb9
Formbook
85e3d87034ef45bfd5cb1234cde6b6c66543e1a77426dadd6a75b01f2c5ab502
Formbook
97d4de7a9478320c718f18c0f57349cfc611f5dee0aab5271304e4670e63d2a8
Formbook
9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d
Formbook
a3e88ba1ba4bf1a30735faff236af3186b1f3bec9bac6095c0cc579ba3781c76
Formbook
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
Formbook
bb21e5cc104a482d8d806a79b75f20781bde73dfb3ac59d6cd58fed12e9757e5
Formbook
bde11e5f0bd0e97d5fec3572de59518b300d0a27602c25d9699d8fc030022cb1
Formbook
+ 4'461 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210401-sgwqlhbrlx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.onlineordersecrets.com/y04g/
Unpacked files
SH256 hash:
d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb
MD5 hash:
00cbf73d8b9f03417a3a32957ec64ed4
SHA1 hash:
b862eff1cf240a5ad5325fd258892e534484a6e8
Link:
https://www.unpac.me/results/29bed0d1-a12c-4b07-b901-9a7c0681ac13/
SH256 hash:
6301f339599408263704cb0ff4402bd9109b40871e19440f97332b5c41cfd1fd
MD5 hash:
cae21380d144dce339ef0589c2b93b17
SHA1 hash:
3d317ed4a19ce57aa633d0d73a236d0cb919ee16
Link:
https://www.unpac.me/results/29bed0d1-a12c-4b07-b901-9a7c0681ac13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/6301f339599408263704cb0ff4402bd9109b40871e19440f97332b5c41cfd1fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 5fd87d80f5611c8d437babb58295fd71b150e714b50d8f6c6853b17555458b2a

Formbook

Executable exe 6301f339599408263704cb0ff4402bd9109b40871e19440f97332b5c41cfd1fd

(this sample)

  
Dropped by
MD5 b4b6a4368da52a7f759447bd165c9d0c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5fd87d80f5611c8d437babb58295fd71b150e714b50d8f6c6853b17555458b2a
Cape
Cape
https://www.capesandbox.com/analysis/130516/

Comments