MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4
SHA3-384 hash: 2ac61f6a781c578e2a10fb05087a5b5c41c7d9d6e4a80cb662c76606d66dee6ef828c707ec9490b3c36f94b18720aa37
SHA1 hash: 1828a711a093a3f974a420cf12fa3d67c48bd3a8
MD5 hash: ea3b95545772a4401f0978721eef7353
humanhash: fix-one-sink-alpha
File name:order no.0118-21.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'188'352 bytes
First seen:2021-01-18 18:19:40 UTC
Last seen:2021-01-18 19:33:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:VyrL7DUTdJxCtQo37Za0DOqzT26Y+nsbKvKjJ4DUqsR:VyrL7DUTdJx0R7Za0Dzn2Us+WuI
Threatray 3'512 similar samples on MalwareBazaar
TLSH 3945BE15639DDF21D7FC56FA9C4084A062ADDD52F258E77CD8B2B0D6A831E7800DEB82
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp.gipfarm.com
Sending IP: 77.48.43.51
From: 'Rowena' <security@gipfarm.com>
Subject: order no.0118-21
Attachment: order no.0118-21.pdf.gz (contains "order no.0118-21.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order no.0118-21.exe
Verdict:
No threats detected
Analysis date:
2021-01-18 18:28:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/948897c1-a2ad-43dd-b521-c9110d829bb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112647/
Detection(s):
SecuriteInfo.com.ArtemisEA3B95545772.27869.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584230
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341154 Sample: order no.0118-21.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 32 www.michaelthomasgunn.com 2->32 34 michaelthomasgunn.com 2->34 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 11 order no.0118-21.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\order no.0118-21.exe.log, ASCII 11->30 dropped 14 order no.0118-21.exe 11->14         started        17 order no.0118-21.exe 11->17         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 36 michaelthomasgunn.com 34.102.136.180, 49739, 49749, 80 GOOGLEUS United States 19->36 38 www.specializednurse.com 19->38 40 specializednurse.com 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 23 cmstp.exe 19->23         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4/
Threat name:
ByteCode-MSIL.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 18:20:11 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nj3ftndbjsmq2t7lufpo54bv2r64xd2g3ersayqcaxvwcmpk62sa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1285da1bcd0075a10d2e8f1d3811ceebacef662558186c6550ccc29c53e699b3
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
9e15ebbf48baef0f33c9ceb2e69566ec71d77271270a65dc5a7cf19a450f1a62
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
c8cd524c89b904ad199b97a7740a9928abd939107904bb29150cdfd98f0f7404
Formbook
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
Formbook
fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
Formbook
+ 3'502 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210118-9357mkt4rx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.paniciagency.com/n6sn/
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/fb5f30ef-9c5c-448b-828d-bfca55be4cee/
SH256 hash:
6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4
MD5 hash:
ea3b95545772a4401f0978721eef7353
SHA1 hash:
1828a711a093a3f974a420cf12fa3d67c48bd3a8
Link:
https://www.unpac.me/results/fb5f30ef-9c5c-448b-828d-bfca55be4cee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz b7c539f4839184cd0c5310f0f6acf5505ebda20ca3886d58c0cb5aca2bb1adf9

Formbook

Executable exe 6a7659b4614c990d4feba15eeef035d47dcb8f46d92320620205eb6131eaf6a4

(this sample)

  
Dropped by
MD5 98e8c5e30bc8a8a1097b7a3496b6d2bc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b7c539f4839184cd0c5310f0f6acf5505ebda20ca3886d58c0cb5aca2bb1adf9
Cape
Cape
https://www.capesandbox.com/analysis/112647/

Comments