MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a
SHA3-384 hash: f1add2145d812e4db48aafc29f875f250a59ddff279eed9c4b6d5c6032561a96f65f6350aca360258f3ed5ecc19ab56a
SHA1 hash: 3eee0df26d21393485821a95c2beffc8797d090b
MD5 hash: 346fb2689c7f90207ce5df0b60be8b14
humanhash: bravo-speaker-quiet-lithium
File name:pending orders0308 D2101002610 pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'064'448 bytes
First seen:2021-04-21 16:06:49 UTC
Last seen:2021-04-21 16:55:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:o5U8yXwLyL1hW6vpRVJNsRRRRRQaBlarj7/4lXNrsg:eohFORRRRRQpjDmNrsg
Threatray 4'690 similar samples on MalwareBazaar
TLSH 3D357C1EE71E7B04E2D9C63FC5D459B7802A9C16E608F93EA9E071BC4AF67DE0054A43
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/142249/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DZG.genEldorado.2488.10851.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/691396
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 394629 Sample: pending orders0308 D2101002... Startdate: 21/04/2021 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 10 other signatures 2->48 10 pending orders0308 D2101002610 pdf.exe 3 2->10         started        process3 file4 34 pending orders0308...1002610 pdf.exe.log, ASCII 10->34 dropped 64 Injects a PE file into a foreign processes 10->64 14 pending orders0308 D2101002610 pdf.exe 10->14         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 17 explorer.exe 14->17 injected process8 dnsIp9 36 www.navigateur-remunerateur.com 213.186.33.5, 49753, 49754, 49755 OVHFR France 17->36 38 www.yuyiznkj.xyz 198.54.117.197, 49734, 49740, 49741 NAMECHEAP-NETUS United States 17->38 40 2 other IPs or domains 17->40 50 System process connects to network (likely due to code injection or exploit) 17->50 52 Performs DNS queries to domains with low reputation 17->52 21 cmmon32.exe 18 17->21         started        signatures10 process11 file12 30 C:\Users\user\AppData\...\27Ologrv.ini, data 21->30 dropped 32 C:\Users\user\AppData\...\27Ologri.ini, data 21->32 dropped 54 Detected FormBook malware 21->54 56 Tries to steal Mail credentials (via file access) 21->56 58 Tries to harvest and steal browser information (history, passwords, etc) 21->58 60 3 other signatures 21->60 25 cmd.exe 2 21->25         started        signatures13 process14 signatures15 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 28 conhost.exe 25->28         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 14:40:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkias4hnvfy2zhsmyqtdw6fwcrppnrnji6b4k4ual7ptzbnika5a._file
Verdict:
malicious
Similar samples:
2bc690b250672666e2a34800b808d748773492e1d250034505239d03b7882f4b
FormBook
5455b443ff5876acc7f13248570814b58e402911e049c1c3c1b1f6b9ac28ca95
FormBook
56ee229433098f5a7d7dc066e4a66ddfc45f2af20188a9e9fab38a059ccce045
FormBook
65778b8834d7849f816c747ae7f3dfc5466ded7781b34959d53cb1a544aaeef5
FormBook
66f95fa3d4fb8e27a1beca62098133d93bf58ca36b83f58fced7f808ba1f282a
FormBook
7e07bde93d122c059f5b159267f273d05ff8ac8bec540f3ae3bc7c8cd32f1fc7
FormBook
7e0c1f10cfd225b16e83ecf7bc37a782441b8a96225fff827572bc3a81421bb9
FormBook
bb21e5cc104a482d8d806a79b75f20781bde73dfb3ac59d6cd58fed12e9757e5
FormBook
bde11e5f0bd0e97d5fec3572de59518b300d0a27602c25d9699d8fc030022cb1
FormBook
e93a3705834cefd962e4dc4c2062e37e9ea42b9819cf11017857f5e36225d413
FormBook
+ 4'680 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210421-a6fzymmxjx/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.gloomyca.com/chue/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

7z c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973

FormBook

Executable exe 6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973
Cape
Cape
https://www.capesandbox.com/analysis/142249/

Comments