MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ec70990f8e965d14d97cc4c2ca0544647c4a2dace3cac4cd84ea103aec1e1f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ec70990f8e965d14d97cc4c2ca0544647c4a2dace3cac4cd84ea103aec1e1f5
SHA3-384 hash: 9a4f1c6d0cc3a6cff03b0b5ad7e66ae8c8d8c5a2da8df0e6fc40f6007f5bebf6cea69014f88912832e2716f1d864e7e4
SHA1 hash: 967273c981dccdf296dff0c3eeb7f8c34b4ea6a9
MD5 hash: 103794ff82a8cccbeb330af1ff0e538c
humanhash: muppet-shade-utah-freddie
File name:BL84995005038483.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:116'224 bytes
First seen:2021-04-07 05:53:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:UUQj9K0dXLLo826OQfDuGQxgGQk5L5VS:U5K07dOQfDuGQxgGQk5Le
Threatray 4'511 similar samples on MalwareBazaar
TLSH B2B369AB0180BFE9DCB150B8D955FDD182AD3EA048C198ED216117A4E2DB536F73BE4C
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hp0.332.gvuwx.ga
Sending IP: 167.99.239.109
From: Damia/Navegacion SHIPPING <chew@cidc.com.my>
Subject: RE: DRAFT BL: BP899088885776 / NEW SHIPMENT (Draft Dispatch Documents)
Attachment: BL84995005038483.zip (contains "BL84995005038483.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BL84995005038483.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:49:38 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/01968a29-f781-4f51-b11d-f54ff4ceb52e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Mal.Generic-S.17584.4969.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd70568d-966b-4c2d-b7a7-408ea0cd157e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668236
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383049 Sample: BL84995005038483.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 44 www.therapeuticsmile.com 2->44 46 www.myfashionest.com 2->46 48 5 other IPs or domains 2->48 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 4 other signatures 2->80 11 BL84995005038483.exe 15 8 2->11         started        signatures3 process4 dnsIp5 58 myliverpoolnews.cf 172.67.150.212, 443, 49693, 49694 CLOUDFLARENETUS United States 11->58 40 C:\Users\user\AppData\...\5fscwdvm.newcfg, XML 11->40 dropped 84 Tries to detect virtualization through RDTSC time measurements 11->84 86 Hides threads from debuggers 11->86 16 BL84995005038483.exe 11->16         started        19 cmd.exe 1 11->19         started        21 WerFault.exe 23 9 11->21         started        file6 signatures7 process8 dnsIp9 60 Modifies the context of a thread in another process (thread injection) 16->60 62 Maps a DLL or memory area into another process 16->62 64 Sample uses process hollowing technique 16->64 66 Queues an APC in another process (thread injection) 16->66 24 explorer.exe 16->24 injected 28 conhost.exe 19->28         started        30 timeout.exe 1 19->30         started        50 192.168.2.1 unknown unknown 21->50 signatures10 process11 dnsIp12 52 www.sinoagrifcf.com 45.192.251.55, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 24->52 54 www.mindframediscovery.com 204.11.56.48, 49740, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 24->54 56 8 other IPs or domains 24->56 82 System process connects to network (likely due to code injection or exploit) 24->82 32 cmmon32.exe 12 24->32         started        signatures13 process14 dnsIp15 42 www.sinoagrifcf.com 32->42 68 Modifies the context of a thread in another process (thread injection) 32->68 70 Maps a DLL or memory area into another process 32->70 72 Tries to detect virtualization through RDTSC time measurements 32->72 36 cmd.exe 1 32->36         started        signatures16 process17 process18 38 conhost.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ec70990f8e965d14d97cc4c2ca0544647c4a2dace3cac4cd84ea103aec1e1f5/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 22:45:39 UTC
AV detection:
8 of 48 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3dqtehy5fs5ctmxzrgczicuizd4jiw2zy6kytgyj2qqhlwb4h2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
029f8f91cce35bc2b66f10c473237024d772c4643e30b9a10acadfe3ce6640d3
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
38b6a40d2eeddf38695294c57971fc2efab81fea95100260a2003baa13616b83
Formbook
75fc618d3fd8e0cdd393c42d086f56dca615394a1e5fc73ececffd82359699a6
Formbook
86071c5800d553ea0cac697f9188a7b592aa9336bf59302545b14aed8b13ce11
Formbook
8d96cdba8c8ac7896773c03f0ab27a5cebe912d9cc6614fda1e149191fc6a7c7
Formbook
b2697b1c939e346a4adcf8ed2cb4a0e493f2390a54a0457c95fea5485c2fa19b
Formbook
c064c85554afe2f28d863c91ad32167cccb8bfd909cea16247dc446f6556116e
Formbook
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
Formbook
f77f6ec623c3ab47584b5f46d73016feddc1f4accb8b1f47f4cfa8df438c79d8
Formbook
+ 4'501 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210407-4d9wq9se1e/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.hnchotels.com/mb7q/
Unpacked files
SH256 hash:
6ec70990f8e965d14d97cc4c2ca0544647c4a2dace3cac4cd84ea103aec1e1f5
MD5 hash:
103794ff82a8cccbeb330af1ff0e538c
SHA1 hash:
967273c981dccdf296dff0c3eeb7f8c34b4ea6a9
Link:
https://www.unpac.me/results/16f57a8d-c496-4bb3-9912-8a3d7e7645de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/6ec70990f8e965d14d97cc4c2ca0544647c4a2dace3cac4cd84ea103aec1e1f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 2c23f2c834f6d9fe89f0cde03a516eea04b945b464eae3f042e0a47fb2390a05

Formbook

Executable exe 6ec70990f8e965d14d97cc4c2ca0544647c4a2dace3cac4cd84ea103aec1e1f5

(this sample)

  
Dropped by
MD5 5c3c47d30b92f01c319250946ae86961
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132746/
  
Dropped by
SHA256 2c23f2c834f6d9fe89f0cde03a516eea04b945b464eae3f042e0a47fb2390a05

Comments