MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947
SHA3-384 hash: 619317658dcc3f98df6b06187be601c2b149699c48ec80315eaf6fd3b3fd7dbc444dbbb8658d8011f9a10468dd37158c
SHA1 hash: 1067e9bec30cdf22c102dc2ff2d830f905ed8ce7
MD5 hash: 6dfeb2c49820a61bdc0411486a16109b
humanhash: batman-iowa-twelve-pip
File name:счет-проформа pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:817'616 bytes
First seen:2021-04-21 16:14:25 UTC
Last seen:2021-04-21 16:55:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 698a03195e1954c9425a6e7e9e03973c (1 x ModiLoader, 1 x FormBook)
ssdeep 12288:6oz8n98p/nr4iykoEMj5cWPwZ7R9BR4Uke54a67g/F2TCWfShiyLT2l1sQCLV33:6ma98DykoEH7R9n94a6s/BUS933
Threatray 4'756 similar samples on MalwareBazaar
TLSH CB058D21A2911473F17F16355E3BB6B8DD3AFE111EA8598927F88CAC8E373503F15292
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
счет-проформа pdf.exe
Verdict:
No threats detected
Analysis date:
2021-04-21 15:20:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/46c40719-61f7-469b-aaf5-2c5ca98c56ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/142257/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/691416
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 394642 Sample: #U0441#U0447#U0435#U0442-#U... Startdate: 21/04/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 6 other signatures 2->78 10 #U0441#U0447#U0435#U0442-#U043f#U0440#U043e#U0444#U043e#U0440#U043c#U0430 pdf.exe 17 2->10         started        14 SpeechRuntime.exe 33 2->14         started        process3 dnsIp4 60 cdn.discordapp.com 162.159.133.233, 443, 49693, 49694 CLOUDFLARENETUS United States 10->60 94 Writes to foreign memory regions 10->94 96 Creates a thread in another existing process (thread injection) 10->96 98 Injects a PE file into a foreign processes 10->98 16 DpiScaling.exe 10->16         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 16->62 64 Maps a DLL or memory area into another process 16->64 66 Sample uses process hollowing technique 16->66 68 2 other signatures 16->68 19 explorer.exe 2 15 16->19 injected process8 dnsIp9 56 www.joomlas123.info 199.192.24.139, 49716, 49718, 49722 NAMECHEAP-NETUS United States 19->56 58 www.antiquevendor.com 207.148.248.143, 49712, 80 BIZLAND-SDUS United States 19->58 48 C:\...\4hrh1nw8gn-dqpx.exe, PE32 19->48 dropped 50 C:\Users\user\AppData\...\4hrh1nw8gn-dqpx.exe, PE32 19->50 dropped 80 System process connects to network (likely due to code injection or exploit) 19->80 82 Benign windows process drops PE files 19->82 24 systray.exe 1 18 19->24         started        28 4hrh1nw8gn-dqpx.exe 1 1 19->28         started        30 autofmt.exe 19->30         started        file10 signatures11 process12 file13 52 C:\Users\user\AppData\...\0L9logrv.ini, data 24->52 dropped 54 C:\Users\user\AppData\...\0L9logri.ini, data 24->54 dropped 84 Detected FormBook malware 24->84 86 Tries to steal Mail credentials (via file access) 24->86 88 Tries to harvest and steal browser information (history, passwords, etc) 24->88 92 3 other signatures 24->92 32 cmd.exe 2 24->32         started        36 cmd.exe 1 24->36         started        38 explorer.exe 2 15 24->38         started        90 Injects code into the Windows Explorer (explorer.exe) 28->90 40 explorer.exe 28->40         started        signatures14 process15 file16 46 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->46 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 32->70 42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 13:01:47 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=npp2bdwemp65eepv2pgahorlb5msw47pw4bpotqvawzx2kxv5fdq._file
Verdict:
malicious
Similar samples:
259275b0c056a9fec50378b2d268c48447e8ebe8827e8e55aae4484aba8b1939
FormBook
3138df7f2444687a7fcb0dbc704d37bb7d3225fdc49bf6a2944e3fa495c58261
FormBook
5281533c78892f2b571668ef9c770ce9c04ee249397040db9b5975ed47601474
FormBook
61ae615d6ba5629463cec961aa950f737fea8ccc413a677058eb8dccfcdb2561
FormBook
9381faa9dcbde308f4ce87d5dfc36b6a5e8e2a263057ecb2d8f8840061ac2a58
FormBook
b38c11ce5d7c368dd1b51d1b5d8df3e09abff40390f68a1f81dacccfe3f01725
FormBook
c76a77d2c81deab2fda96cc7cfcd42ca3886522b254ab6fa7448c7db8692e00a
FormBook
c771c0417fcf76bac5cb23d5213338c6c8f8b381f6744a7619feb36edec1dacb
FormBook
d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5
FormBook
eca866db6ef1c1359d34584e896e1c712d70b35ecc2074bc7743e407af792077
FormBook
+ 4'746 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210421-64wxhtd1en/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 083a56cd6197597aae81782b47d6aaead5b6ec08245b6603845aaa425645dd1e

FormBook

Executable exe 6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 083a56cd6197597aae81782b47d6aaead5b6ec08245b6603845aaa425645dd1e
Cape
Cape
https://www.capesandbox.com/analysis/142257/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-21 17:09:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
12) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
13) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
14) [C0038] Process Micro-objective::Create Thread
15) [C0041] Process Micro-objective::Set Thread Local Storage Value
16) [C0018] Process Micro-objective::Terminate Process