MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e
SHA3-384 hash: fd702634cda771cc05a45bc3be2b73a911bd351abe6f2d9df1b0c8ebc679fae2becbc4df99d5ab5a0224edab1646716c
SHA1 hash: e42a9e03624c55499730a7249b1af458042d5800
MD5 hash: 80abd100f027c83dd96c6fb3539157d7
humanhash: cola-wyoming-west-william
File name:PO-No 243563746 Sorg.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:573'440 bytes
First seen:2021-11-16 14:35:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:N2L4+Fxhr68fvtKOH3KfuKi3Z2rcK84kH2f8a4lyAKp:UL4wrh34Q6fuKLr0Wfr4lWp
Threatray 11'839 similar samples on MalwareBazaar
TLSH T116C4BF4075EC82C7E47A1EF1AEAAD12413B0B5AD925AD20F3E8573DB20F2741454E7BE
File icon (PE):PE icon
dhash icon 8084a48cbc8ce4f8 (44 x Formbook, 20 x AveMariaRAT, 11 x SnakeKeylogger)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/206496/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6193c1d64912a8c920a04dfe/reports/1db45bcf-b2f9-4a81-9eba-79a52f67d1a7/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/116fef9f-d3ae-4e34-bfc2-5c8e2b362d79
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890489
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522961 Sample: PO-No 243563746  Sorg.exe Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 23 www.sylverrepair.com 2->23 25 www.gxmmvcn.icu 2->25 27 2 other IPs or domains 2->27 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 9 other signatures 2->41 8 PO-No 243563746  Sorg.exe 3 2->8         started        signatures3 process4 file5 21 C:\Users\...\PO-No 243563746  Sorg.exe.log, ASCII 8->21 dropped 43 Injects a PE file into a foreign processes 8->43 12 PO-No 243563746  Sorg.exe 8->12         started        signatures6 process7 signatures8 45 Modifies the context of a thread in another process (thread injection) 12->45 47 Maps a DLL or memory area into another process 12->47 49 Sample uses process hollowing technique 12->49 51 Queues an APC in another process (thread injection) 12->51 15 WWAHost.exe 12->15         started        18 explorer.exe 12->18 injected process9 dnsIp10 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Tries to detect virtualization through RDTSC time measurements 15->57 29 www.javsite.xyz 183.90.253.9, 49795, 80 SAKURA-CSAKURAInternetIncJP Japan 18->29 31 jeewancoco.com 194.233.74.163, 49820, 80 NEXINTO-DE Germany 18->31 33 7 other IPs or domains 18->33 59 System process connects to network (likely due to code injection or exploit) 18->59 61 Performs DNS queries to domains with low reputation 18->61 signatures11
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 14:36:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=moouwdunzjiylilyhqdlki3a54e56ywmazoq5x6roawmnwb2ajpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06e3d4748368b69a7e5884837136e387db1d754cb4610e0348c8f09a09f7039d
Formbook
3f95e7795f8c0b70983561a48425e735ef7832603543980f460b1356403ec622
Formbook
41de1c603509906c3ddcb2550617c980ba3dd192048a52b449e3894d94e1bad5
Formbook
695b006f3b83048d47ea1fcae9d7cbacac8f82b4f3d2908ca20f06788e8b3b92
Formbook
88f9f44e6cb13da79a3967ffa56a9d8c46d8d49623518df5e90c3d4cf72b3b79
Formbook
9545b9927196fd12d327c38b6f99dbfe3be7beeefb9e4c4a9d3b038c5c39c119
Formbook
dce5f044b1f4396f33c3574667169dcbdeb3aebb037c9f53d7a8c38e095f576d
Formbook
f67b56c419eaa4e3df12d7624c0ef0047fb7ca691a888e02225c9ba6610e8f96
Formbook
+ 11'829 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:seqa loader rat suricata
Link:
https://tria.ge/reports/211116-rykjlabbfp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.hybridsea.com/seqa/
Unpacked files
SH256 hash:
4445e6169ee2064cac414bb32b65e1685546644926bd081026a4c2ea568339a2
MD5 hash:
49786a0dbb57389e948893b125a90c14
SHA1 hash:
cd393e046e71681bd1cfdddd7ee1db3421cd7057
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4a3100ca-76c9-4e87-9bf6-eefb6efa146f/
Parent samples :
639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e
e96c0ffc73eec789eab058d77bed0e9246f485bbfada89dbad4b73430461780f
570f6cf56c833b755dcf8618a0182d27fd9ac39a0ad4595ea9a774f346970b7b
3b5e31e4b62087dfa7cac1a39c31896d25d465c971fe1db3e9a9271471ce416d
c0064ec7925f6ba2b202bac90707efb73e2c843ad4c946a12fdf3c49be910fbc
0d191570930382397a371a8f1fb19bd8aa7151e2f48090b11a473d65db5e0cb5
be36f7b67439a45588b41b9c19a15bfde3545ddd5eef1366d2610831260d40fb
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/4a3100ca-76c9-4e87-9bf6-eefb6efa146f/
SH256 hash:
aeb26089bcf212f8a8269bd9f500409817e238f968764ba044edb03833b16a91
MD5 hash:
280f6783572bbf980a350756bdb3d3f4
SHA1 hash:
b75445a59d4d0ace79176a4a76f600fdaf20cb29
Link:
https://www.unpac.me/results/4a3100ca-76c9-4e87-9bf6-eefb6efa146f/
SH256 hash:
639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e
MD5 hash:
80abd100f027c83dd96c6fb3539157d7
SHA1 hash:
e42a9e03624c55499730a7249b1af458042d5800
Link:
https://www.unpac.me/results/4a3100ca-76c9-4e87-9bf6-eefb6efa146f/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/639d4b0e8dca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 639d4b0e8dca5185a1783c06b52360ef09df62cc065d0edfd1702cc6d83a025e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/206496/

Comments