MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61
SHA3-384 hash: d83626caef28ccfa9ca56b492751d672e4fcb788ced2055e83b5d7ca2ac80407d33d0592f5abf489affb8fa239d045ad
SHA1 hash: 04a46352098b39aa690aece6992935e3a3618b57
MD5 hash: 72d21d677b7b10a4e7b39e61e6df2d6b
humanhash: robert-snake-jupiter-sodium
File name:Purchase-Order3483403.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:926'720 bytes
First seen:2022-07-19 12:18:06 UTC
Last seen:2022-07-19 16:14:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 269129a2f834f3525a89b3b03964cefc (2 x Formbook, 1 x RemcosRAT)
ssdeep 24576:E6x+g9HRYFuETgOPb2M+Sgu7DSnFZDnYTikyzbH0ywnAwDxcAiZ9dn7y0tVSn524:E+DRYEETgOPb+Sgu7I/DnYsHH0ywn3D5
Threatray 17'331 similar samples on MalwareBazaar
TLSH T174158D22F2B1CC33D063167E5D5B72A46D2EBE412A29FA856AE43D4C1FF868134653C7
TrID 26.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
24.5% (.SCR) Windows screen saver (13101/52/3)
19.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8d023 (11 x RemcosRAT, 6 x DBatLoader, 5 x ModiLoader)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291865/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Injector.51f4b042.22291.29423.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26744/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware keylogger obfuscated packed wacatac
Link:
https://www.filescan.io/uploads/62d6a11aef2b0e63a8260720/reports/40c2ca3e-9f2a-4de4-a8be-b74581c1fb97/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b0152d2-4f3a-4ab6-a6a4-8db2ec25a99e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1036491
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 668985 Sample: Purchase-Order3483403.exe Startdate: 19/07/2022 Architecture: WINDOWS Score: 100 40 www.elbarbershop.com 2->40 42 www.suntivegas.com 2->42 56 Snort IDS alert for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 7 other signatures 2->62 9 Purchase-Order3483403.exe 1 21 2->9         started        signatures3 process4 dnsIp5 48 aubromaterkiddie.duckdns.org 208.67.105.81, 443, 49723, 49726 GRAYSON-COLLIN-COMMUNICATIONSUS United States 9->48 34 C:\Users\Public\Libraries34ayzyj.exe, PE32 9->34 dropped 36 C:\Users\Public\Libraries36ayzyjO.bat, ASCII 9->36 dropped 38 C:\Users\...38ayzyj.exe:Zone.Identifier, ASCII 9->38 dropped 72 Modifies the context of a thread in another process (thread injection) 9->72 74 Maps a DLL or memory area into another process 9->74 76 Sample uses process hollowing technique 9->76 78 Queues an APC in another process (thread injection) 9->78 14 explorer.exe 2 9->14 injected 18 cmd.exe 1 9->18         started        file6 signatures7 process8 dnsIp9 50 cer6ljym6.voyage-distribution.xyz 216.118.232.50, 49778, 80 NETSEC-HKNETSECHK Hong Kong 14->50 52 www.mistbet224.com 188.114.96.3, 49772, 49773, 80 CLOUDFLARENETUS European Union 14->52 54 8 other IPs or domains 14->54 80 System process connects to network (likely due to code injection or exploit) 14->80 82 Uses ipconfig to lookup or modify the Windows network settings 14->82 20 Nayzyj.exe 13 14->20         started        24 ipconfig.exe 14->24         started        26 Nayzyj.exe 14 14->26         started        28 cmd.exe 1 18->28         started        30 conhost.exe 18->30         started        signatures10 process11 dnsIp12 44 aubromaterkiddie.duckdns.org 20->44 64 Antivirus detection for dropped file 20->64 66 Multi AV Scanner detection for dropped file 20->66 68 Modifies the context of a thread in another process (thread injection) 24->68 70 Maps a DLL or memory area into another process 24->70 46 aubromaterkiddie.duckdns.org 26->46 32 conhost.exe 28->32         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2022-07-19 06:17:02 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocyfqtt26ohwuppqgeqbm2qtpcazx5mw23s5l4opmtgtfafszjqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09a7e10a1a6d589f868ad25906c6fe212c9d1bd68772f59f55fbb0b528e8ec8a
Formbook
1f72cb6a89b2416ff755cd63ae5bd2c0016846f5351227cc80e2242060e88a1b
Formbook
23d18a124c44e1f80a9eed03f108139f21a9cbfe060b36211bf21c6cf7213a16
Formbook
5fd380b77aed19d5086ee0c5afb1a717b0901bcf456ef658c0381107e47f17a1
Formbook
684782ca20359680b64b720ee81fbb5653fa3a13661c06c61c4a80af50fcdcb9
Formbook
9979157caf31a2349ad5512d9aa7e749649232ceb16f9c410655438fa87de552
Formbook
b789d4ddcafc503eff5ad068d03492ec3fe4644798c0ca68957a5405c7fc3c0d
Formbook
c8fc44d1f9bae45933ba95a20f0aebf0e69f8304ea11a4346e610dfacc8ce049
Formbook
efc51781bc3e82733e68f330ce4905d57bd3188a3584faa693a18223f17ec7ff
Formbook
+ 17'321 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
e5cee39f56c43d207f40862077d5b015e62929ff21f9de4e45c3b958c8947770
MD5 hash:
0de7dbbda445e257c9169774b9a8000b
SHA1 hash:
23ab78a6fdd513f2b3877efc92a71fe7d44db0db
Link:
https://www.unpac.me/results/77746fd4-3e33-433e-82b5-5a90deb5effe/
SH256 hash:
70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61
MD5 hash:
72d21d677b7b10a4e7b39e61e6df2d6b
SHA1 hash:
04a46352098b39aa690aece6992935e3a3618b57
Link:
https://www.unpac.me/results/77746fd4-3e33-433e-82b5-5a90deb5effe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 515817492a133c4e32e4ecb84081bd363dedbd19f1c1c3083384d3a98746d352

Formbook

Executable exe 70b0584e7af38f6a3df03120166a1378819bf596d6e5d5f1cf64cd3280b2ca61

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/291865/
  
Dropped by
SHA256 515817492a133c4e32e4ecb84081bd363dedbd19f1c1c3083384d3a98746d352
  
Dropped by
MD5 65c47f9cda7fb8a122f0a5c4e229faa3

Comments