MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
SHA3-384 hash: 741102b3c7c9dbd5b2b5165df295c2ab2abc05aca83989ac877d3968d0554549acba9992f0f15ee80d29a43876d7fdd2
SHA1 hash: 3336b3ef64d00658daa821c75270bafd6a205df5
MD5 hash: b875694d115f5d4344db0e0be769fdc5
humanhash: low-delaware-hydrogen-xray
File name:Petronas ITQ format.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:758'784 bytes
First seen:2021-01-07 14:00:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:CiKeOd8VCgLtJ79ME8+OSA76RS7DmV8Fj9PMOFj+7hN:zOd8pROKOj9EO
Threatray 3'305 similar samples on MalwareBazaar
TLSH BDF49C2362DE7BC6E03C67754C24B209A3E0AA4E9316CE7A3DD5F1E90479A0446F753E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server3.bsname.com
Sending IP: 111.91.236.19
From: Joseph Liew <joseph.liew@petronas.com>
Reply-To: Joseph Liew <josephp.liew@outlook.com>
Subject: [Petronas]: Request for quotation, Purchase Order no: 1093121
Attachment: Request for quotation, Purchase Order no 1093121.zip (contains "Petronas ITQ format.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Petronas ITQ format.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 14:21:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a2fb24bd-47a7-4df1-88a7-b6e1438899d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110827/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/575932
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337022 Sample: Petronas ITQ format.exe Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 4 other signatures 2->44 10 Petronas ITQ format.exe 3 2->10         started        process3 file4 30 C:\Users\user\...\Petronas ITQ format.exe.log, ASCII 10->30 dropped 54 Injects a PE file into a foreign processes 10->54 14 Petronas ITQ format.exe 10->14         started        17 Petronas ITQ format.exe 10->17         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 19 explorer.exe 14->19 injected process8 dnsIp9 32 www.mystluciapages.com 108.62.32.194, 49760, 80 LEASEWEB-USA-LAX-11US United States 19->32 34 deejayatl.com 34.102.136.180, 49761, 80 GOOGLEUS United States 19->34 36 3 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 mstsc.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 14:01:06 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oo2rsohp2u3jlibmq3t36uh2zejahzb3laehlczknghpcbdv2jsa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b
Formbook
1cc899a5fc4a3e7fe1c9d1265b60a4faf51bc1df3e4b25c088979755410fa954
Formbook
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
Formbook
532b875f09991cdf7b57db59f0f7aa579d49b229d65ad1ace9f67bf6ffc7bca5
Formbook
5919e2d01fbc46e0aedd07630294976681fbb688e1b226dab43e60309747a877
Formbook
6c45a4d4ed82e89fc389c64729ef65d08fa313ad92e0818f6c1fa96156d66f4e
Formbook
7d667845924245b2c6acee25a643afab5ad0a822614574c93cbf19ff0bb4f8c4
Formbook
be68a437bfdced2711715965531cd0951f433f2c689b09bf265fc6e1b9c1c8e8
Formbook
bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833
Formbook
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
Formbook
+ 3'295 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210107-etmh6arjax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.deejayatl.com/khm/
Unpacked files
SH256 hash:
73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
MD5 hash:
b875694d115f5d4344db0e0be769fdc5
SHA1 hash:
3336b3ef64d00658daa821c75270bafd6a205df5
Link:
https://www.unpac.me/results/a49e8cc9-f829-4dcb-b81f-ed84b632a55d/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/a49e8cc9-f829-4dcb-b81f-ed84b632a55d/
SH256 hash:
9bcd25c9264439bcbde7321cd4ed0747ca74eb2c6937ae92d8afb91ba12340dc
MD5 hash:
03b6e7c4f9f003170abfd05d2c4a5f5a
SHA1 hash:
a4a85b289d1eb68cf215a89ad41598853852ec62
Link:
https://www.unpac.me/results/a49e8cc9-f829-4dcb-b81f-ed84b632a55d/
SH256 hash:
d074d81c4f3f8ba7ba0b7e2f5c95d0c7943d201df80c97825891cf6590155104
MD5 hash:
57adcb2330050f5528e283536a66f645
SHA1 hash:
5b9e9961e5d491bc436e9e5a5906212486c1e5c1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a49e8cc9-f829-4dcb-b81f-ed84b632a55d/
Parent samples :
73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833
8cfcf36016d933b2dee4ecea9f2d0416444fda668345c0cf82845f49962cd013
94ff08030a3e4421baf3ad3489d4d757dd4e8aab659aa8a06f99d2d81526d17e
f8efa3021228dad9812ac764085f791117265d9859bfb5ed21e07f04f1cb0b5f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 0c125aaea07b9b97fedc0e2022f3951ef3cdefda9110c3b1f4955abeeed9ac22

Formbook

Executable exe 73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264

(this sample)

  
Dropped by
MD5 bc32021093147eac3742eba7f8a42532
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110827/
  
Dropped by
SHA256 0c125aaea07b9b97fedc0e2022f3951ef3cdefda9110c3b1f4955abeeed9ac22

Comments