MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
SHA3-384 hash: 5f1c6d9ccd6672cc3f0061f0345a32a02eb48e59323e4b65237924309fe6bf8f82a925ad24221ae418b377505ceeddf5
SHA1 hash: cf39edbaf3557483f3873e07afffd37544e8d725
MD5 hash: 2f6a8a3b4280110d33bd4bec3f9ba618
humanhash: timing-spring-lamp-cat
File name:SHANDONG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'416'704 bytes
First seen:2020-12-17 08:42:21 UTC
Last seen:2020-12-17 10:30:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:B4eyscUf6YfpVPocqlNv9FZsDSZTfpeCKYM+6:VyscUiY3qX9FZDZTfperYMd
Threatray 5'178 similar samples on MalwareBazaar
TLSH C1658F247BDD6A04F1B3D73AC6D4A855C6FEFD226715D82E2CD0328E0672FC88951A27
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: John Shu <John@coimtra.cam>
Subject: RE: RE: PO No.Q20120A/SHANDONG
Attachment: SHANDONG.rar (contains "SHANDONG.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHANDONG.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 09:27:36 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/c4fbc46d-fb1c-406b-9a55-e8f38572ab9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6288.23333.26561.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565237
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331702 Sample: SHANDONG.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 8 other signatures 2->55 10 SHANDONG.exe 7 2->10         started        process3 file4 33 C:\Users\user\AppData\Roaming\oyhtaj.exe, PE32 10->33 dropped 35 C:\Users\user\...\oyhtaj.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmp4BBC.tmp, XML 10->37 dropped 39 C:\Users\user\AppData\...\SHANDONG.exe.log, ASCII 10->39 dropped 65 Tries to detect virtualization through RDTSC time measurements 10->65 67 Injects a PE file into a foreign processes 10->67 14 SHANDONG.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 Queues an APC in another process (thread injection) 14->75 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 41 valiantbranch.com 34.102.136.180, 49750, 49772, 49775 GOOGLEUS United States 19->41 43 www.beinglean.net 94.136.40.51, 49766, 80 GD-EMEA-DC-LD5GB United Kingdom 19->43 45 21 other IPs or domains 19->45 57 System process connects to network (likely due to code injection or exploit) 19->57 25 ipconfig.exe 12 19->25         started        signatures10 process11 dnsIp12 47 www.tempoborough.life 25->47 59 Modifies the context of a thread in another process (thread injection) 25->59 61 Maps a DLL or memory area into another process 25->61 63 Tries to detect virtualization through RDTSC time measurements 25->63 29 cmd.exe 1 25->29         started        signatures13 process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 03:51:19 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqoavj6pju5i3vsgvcrjl2gd6zxkahvuxsdfi7eqwurzbsqeyk4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0110a52c51d060db8c4b9f3d654340fdf954bd7ceb47956e235ebe5921a57df4
Formbook
319795a056019b583b556b445052ec4c33446a75b7310af85bf15be00b2cf94e
Formbook
3571d3ca49f3c593d4b34f2d7bd9aa8ab2b0bfb99111a2a2561a0d25d494fa2f
Formbook
7cea909eb4fef13fdeee846b808200826a8de0292ba555bcc4fefdde642dbb55
Formbook
80647f6b0ee0d8b14ba78bbd6cbfdf6e332692af7eb0f3348fc76facc4ad23ef
Formbook
84cb3c9404d520f05f868b550697de2803c587b02fc156764c953a12a227e4d7
Formbook
8daa411eb30ad00d9be98b72d66343cd681616040c1b825a4b35bfc2a27ee1de
Formbook
97b414e4df32b2618618bf61922085e35879a743b6cae758f73747682bdc7b02
Formbook
b475b8978e80b7cfc97d95df7e5c7b51efd86ec23d5257ec0c5aa40df7abf30a
Formbook
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
Formbook
+ 5'168 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201217-gc2he7yfaa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
MD5 hash:
2f6a8a3b4280110d33bd4bec3f9ba618
SHA1 hash:
cf39edbaf3557483f3873e07afffd37544e8d725
Link:
https://www.unpac.me/results/19282c0b-9aa5-4d3e-a5fc-7f756b793d66/
SH256 hash:
63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588
MD5 hash:
fc6398e3e937efd3ec3b835312111b12
SHA1 hash:
1df5edc9d3e24de6032d3569db24c58f79f65476
Link:
https://www.unpac.me/results/19282c0b-9aa5-4d3e-a5fc-7f756b793d66/
SH256 hash:
49fc78cd53e6a1d71fd51cd91d94eee50132d35874edaf8c6d81ae0609fde330
MD5 hash:
71db791a86eec014a804f6c2e2b98abc
SHA1 hash:
649ab07585280958ad43ebb3937f06dea3d19208
Link:
https://www.unpac.me/results/19282c0b-9aa5-4d3e-a5fc-7f756b793d66/
SH256 hash:
cae705f8d6039068d421ac59aecb5c6051df420f3340827bf9806614c0606b3b
MD5 hash:
bd7fa92631cc6b241fea4284f154fefb
SHA1 hash:
6b302fca5d6ea494911f2b46dafbedc8c66e0743
Link:
https://www.unpac.me/results/19282c0b-9aa5-4d3e-a5fc-7f756b793d66/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/19282c0b-9aa5-4d3e-a5fc-7f756b793d66/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar fd71a67d2dae0d26ca5624909906e3dec7cdb929cc435ad20ae5707fed0a0257

Formbook

Executable exe 641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9

(this sample)

  
Dropped by
MD5 d4e1e56c274e0ad34263950579956d66
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fd71a67d2dae0d26ca5624909906e3dec7cdb929cc435ad20ae5707fed0a0257

Comments