MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b112d62c9d5722e71733aebafd86f5ac0a45c71a6776650f9505e239b7d8f8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	6b112d62c9d5722e71733aebafd86f5ac0a45c71a6776650f9505e239b7d8f8e
SHA3-384 hash:	f80518510ebf137dd1c92ab639d5a7b679f02341c6fe0829e08b2b70d79a6bbd74e71b17e172416ac2923a0611e60f1e
SHA1 hash:	652ed4051c171c6decdbbe8a5c724831574453f7
MD5 hash:	d1204a9f635be18db9fda3f9726a3df9
humanhash:	lake-monkey-pennsylvania-diet
File name:	SHIPPING INVOICE pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	773'120 bytes
First seen:	2021-01-15 15:57:33 UTC
Last seen:	2021-01-15 19:55:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:d2iKuQbpxRWu9f/thl1qvPu8h0dvb7ZjOzaCN9:SxQ0thDaW8id/Zh
Threatray	3'476 similar samples on MalwareBazaar
TLSH	B9F46D519BD19310D7AC16FEDC0501EE26E1EF69BED8E76BD9407072AE7692800FD2C2
Reporter	abuse_ch
Tags:	DHL exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: elcon-in.com
Sending IP: 185.222.57.189
From: dhl express<Accountant@elcon-in.com>
Subject: DHL BILL OF LADING SHIPPING INVOICE DOCUMENTS
Attachment: SHIPPING INVOICE pdf.z (contains "SHIPPING INVOICE pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SHIPPING INVOICE pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-01-15 16:36:24 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/55471c80-083a-4ee7-b4c6-8ee201306048

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/112257/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.504.4330.7736.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Launching cmd.exe command interpreter

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/582634

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/6b112d62c9d5722e71733aebafd86f5ac0a45c71a6776650f9505e239b7d8f8e/

Threat name:

ByteCode-MSIL.Trojan.Artemis

Status:

Malicious

First seen:

2021-01-15 10:32:02 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nmis2ywj2vzc44lthlv27wdpllakixdruz3wmuhzkbpchg35r6ha._file

Verdict:

malicious

Label(s):

formbook

Formbook

0b2ae98dbbc89e15b3d0864559fede5bf9a7c96e80476499c24bf396a5fd27f3

Formbook

4cd823b02efc3aaf62baa4f4e9c252ae487d969c887fe2a72291ad2e69359cac

Formbook

51146cdc626be707700c7459883faef7864612af14354aefed988fed9afa136f

Formbook

5cefff6712f29c6f7fe30bfd3f7d1e790e5474ef242304a91348369b3c1afcab

Formbook

6f970b68cad69c0b6d672940e35dde418280598c320ce12f5e322366a07b44d3

Formbook

716aacac1a8cdbf59b820beee36b621674f1f1d01f0ca7c7ca5c9d419d764f09

Formbook

c27e656ca252e7f6dac160bde8de0e415f104de4641287052ce7548806ba2e01

Formbook

d6c5d3585ce30be92b7bcd11ef9d3cf1d87cabed1f941912e028952e5797a6d8

Formbook

f88aacaed09465c022d30acf7a1304e42cf0c91f703130576eb831be417af022

Formbook

+ 3'466 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210115-srwb4sqyj2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.jerkerings.com/mnf/

Unpacked files

SH256 hash:

6b112d62c9d5722e71733aebafd86f5ac0a45c71a6776650f9505e239b7d8f8e

MD5 hash:

d1204a9f635be18db9fda3f9726a3df9

SHA1 hash:

652ed4051c171c6decdbbe8a5c724831574453f7

Link:

https://www.unpac.me/results/d42d0753-9be0-4ce2-b2d9-0d60525c748b/

SH256 hash:

296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5

MD5 hash:

4cf24d41a7882216740280e3294cb853

SHA1 hash:

6bcb31d3dc0a7d71da1067a628168664202769a4

Link:

https://www.unpac.me/results/d42d0753-9be0-4ce2-b2d9-0d60525c748b/

SH256 hash:

29bc9f09cdeb35110e4d8965e071756b6330536763af57f4c3ba0a46ae6c11a8

MD5 hash:

d89ef51c3dcd40d9ce4db855758ea00e

SHA1 hash:

99e2945a005de4b45d17754b95a43f004f203370

Link:

https://www.unpac.me/results/d42d0753-9be0-4ce2-b2d9-0d60525c748b/

SH256 hash:

765ceb881af03a3e568315d781ca29acdcc2e573b2c9c6f5cfa40345651c4ee0

MD5 hash:

9c24b1ad3107095b933fb326ea911c96

SHA1 hash:

f99314b0b2a47720bd82b32a1df6b711d270e086

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/d42d0753-9be0-4ce2-b2d9-0d60525c748b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b112d62c9d5722e71733aebafd86f5ac0a45c71a6776650f9505e239b7d8f8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.