MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829
SHA3-384 hash:	29e786d2c434292d6b7bdcf928ad6ef37b7860d5a06719b5ea97b48a54f0ab51f7195d051a199e02f00231b00855000d
SHA1 hash:	e1844334a3627508f7c988d41883d8533bc42617
MD5 hash:	a22175e04cd0fb0bf58a15b2eb6ab978
humanhash:	crazy-ten-uniform-wyoming
File name:	RFQ-Haesung-tech-견적요청_해성190918.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	827'904 bytes
First seen:	2020-11-19 06:48:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f19034443dbba8ae65cae64d05fef57a (13 x Loki, 3 x Formbook, 2 x AgentTesla)
ssdeep	12288:AbkNnMdUO4rvcMZKwangiFPWY/mnM44ZVA0hjQYonCrNAsZRrPNbZ:p6j4rvrKwang6WCxVA0d6CRAsLPNbZ
Threatray	2'976 similar samples on MalwareBazaar
TLSH	7E059E6FA1F0483FC12316399C1B57A85D36BE10F92869462BF41D4C9F39A9178272BF
Reporter	abuse_ch
Tags:	exe FormBook geo KOR

abuse_ch

Malspam distributing unidentified malware:

HELO: ns.asakurasoft9.jp
Sending IP: 211.1.230.21
From: Haesung Tech Co., Ltd <giga-tech@daum.net>
Reply-To: giga-tech@daum.net
Subject: 조언: Request for quotation _ Haesung Tech
Attachment: RFQ-Haesung-tech-견적요청_해성190918.img (contains "RFQ-Haesung-tech-견적요청_해성190918.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

DNS request

Sending an HTTP GET request

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/542594

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Found evasive API chain (may execute only at specific dates)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-19 05:05:37 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n2sc2rq6ccvcqde2hpzhhzxn7ugpskurn42xnbkg557qsscmbauq._file

Verdict:

malicious

Label(s):

formbook

netwirerc

Formbook

0a52da9ff52bac0092e953e1127ddacb2875f1e908bcdcc0eb13559313978f1a

Formbook

1ac4419c00800098d644ca6b673934679b27f8b8840e5c4a993b47c49033d61c

Formbook

295b66b15ac99b8f3684995b627af139171b64b050baf27aafb0fffb8ab4f4eb

Formbook

321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b

Formbook

45122febb861f3b96da0f14222950ac3de67acc346a17ebe9d9e432744682fe9

Formbook

4660ad3420890a6ce1c9e47ac50d398f6ba128e0d4205e69e82e012c169e5d95

Formbook

53425ac47307e7d6e98deae06742bfebdade503bf6e48766a84ea52a3045f3a8

Formbook

ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34

Formbook

d1b84326aa58802176aeeceda99665ab3455f07aeda472c8605718908683adf0

Formbook

+ 2'966 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201119-agjz8y5tda/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.sunflowersbikini.com/o1u9/

Unpacked files

SH256 hash:

6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829

MD5 hash:

a22175e04cd0fb0bf58a15b2eb6ab978

SHA1 hash:

e1844334a3627508f7c988d41883d8533bc42617

Link:

https://www.unpac.me/results/b174be30-f6e6-47ce-83f7-5ef3fcc8fa09/

SH256 hash:

63f19caf7c1b22ec4856b64cbfad0368755d7d917c5df022566b1b1f458a48f1

MD5 hash:

0a1360928d9421ecee80cc918fa7b9c3

SHA1 hash:

1ff361e0b52e323a16040767a1730eddfd8420b3

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/b174be30-f6e6-47ce-83f7-5ef3fcc8fa09/

Parent samples :

005b07f4994dac828c9c730744e73a4fde81ce34bd642f6835985871a2fb0084
ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34
6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img ce91fb89c6b20bc04a30fbf7214db04941440303b1062fb387722e164b1d0485

Formbook

exe 6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829

(this sample)

Dropped by

MD5 540a650d0593f7d467596e123e6d979b

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 ce91fb89c6b20bc04a30fbf7214db04941440303b1062fb387722e164b1d0485

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample