MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74ff69d2acffcbe2ed4ad76db8c1025be066170a8cc5b7c7048ea8cdcb155179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74ff69d2acffcbe2ed4ad76db8c1025be066170a8cc5b7c7048ea8cdcb155179
SHA3-384 hash: eda1442cb13b27b4b52ca3e1e9d258e008ce89f116473c01d54f55b43898bdc407bd1256c13db64fd3a4a60f7e41070a
SHA1 hash: cb9cd1b2d0d62a373e95ebd068e1eaa46a3514ca
MD5 hash: b46af328c691909866874f369e20140b
humanhash: florida-eleven-ohio-bluebird
File name:products order pdf .exe
Download: download sample
Signature Formbook
Create hunting rule
File size:818'664 bytes
First seen:2021-05-26 07:40:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3ce36334df24b9b0e96702a83ffba1af (3 x RemcosRAT, 3 x Formbook, 1 x OskiStealer)
ssdeep 12288:Sq/664+YlIpVmBVMuYl/lnu6ZerpObSVE9QkrhQdMNs9:Sq/6H8mBVmkCEpObVqms9
Threatray 5'386 similar samples on MalwareBazaar
TLSH BD05AE22A2DA04F7C5AB1E389C1793A99839BE701E2455533BF93D0C8F397513E292D7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
products order pdf .exe
Verdict:
Suspicious activity
Analysis date:
2021-05-26 07:59:42 UTC
Tags:
installer
Link:
https://app.any.run/tasks/84c0f561-f82a-49a8-8985-10a503e45718

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162309/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Mal.Generic-S.3478.7262.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792316
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 424715 Sample: products order pdf .exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 48 www.kauai-marathon.com 2->48 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 8 other signatures 2->62 11 products order pdf .exe 17 2->11         started        signatures3 process4 dnsIp5 54 cdn.discordapp.com 162.159.133.233, 443, 49714, 49716 CLOUDFLARENETUS United States 11->54 76 Writes to foreign memory regions 11->76 78 Allocates memory in foreign processes 11->78 80 Creates a thread in another existing process (thread injection) 11->80 82 Injects a PE file into a foreign processes 11->82 15 secinit.exe 11->15         started        signatures6 process7 signatures8 84 Modifies the context of a thread in another process (thread injection) 15->84 86 Maps a DLL or memory area into another process 15->86 88 Sample uses process hollowing technique 15->88 90 2 other signatures 15->90 18 explorer.exe 3 6 15->18 injected process9 dnsIp10 50 www.joomlas123.info 199.192.24.139, 49755, 49756, 49757 NAMECHEAP-NETUS United States 18->50 52 www.sharmasfabrics.com 109.68.33.25, 49749, 80 GD-EMEA-DC-LD5GB United Kingdom 18->52 40 C:\Users\user\AppData\...\autochk7not.exe, PE32 18->40 dropped 42 C:\Program Files (x86)\...\autochk7not.exe, PE32 18->42 dropped 64 System process connects to network (likely due to code injection or exploit) 18->64 66 Benign windows process drops PE files 18->66 23 cmmon32.exe 1 18 18->23         started        27 autochk7not.exe 18->27         started        29 autochk7not.exe 18->29         started        file11 signatures12 process13 file14 44 C:\Users\user\AppData\...\0L9logrv.ini, data 23->44 dropped 46 C:\Users\user\AppData\...\0L9logri.ini, data 23->46 dropped 68 Detected FormBook malware 23->68 70 Tries to steal Mail credentials (via file access) 23->70 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 74 3 other signatures 23->74 31 cmd.exe 2 23->31         started        34 cmd.exe 1 23->34         started        signatures15 process16 signatures17 92 Tries to harvest and steal browser information (history, passwords, etc) 31->92 36 conhost.exe 31->36         started        38 conhost.exe 34->38         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74ff69d2acffcbe2ed4ad76db8c1025be066170a8cc5b7c7048ea8cdcb155179/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 07:40:26 UTC
AV detection:
23 of 47 (48.94%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ot7wtuvm77f6f3kk25w3rqiclpqgmfykrtc3pryer2um3syvkf4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
259275b0c056a9fec50378b2d268c48447e8ebe8827e8e55aae4484aba8b1939
Formbook
3138df7f2444687a7fcb0dbc704d37bb7d3225fdc49bf6a2944e3fa495c58261
Formbook
61ae615d6ba5629463cec961aa950f737fea8ccc413a677058eb8dccfcdb2561
Formbook
6bdfa08ec463fdd211f5d3cc03ba2b0f592b73efb702f74e1505b37d2af5e947
Formbook
9381faa9dcbde308f4ce87d5dfc36b6a5e8e2a263057ecb2d8f8840061ac2a58
Formbook
b38c11ce5d7c368dd1b51d1b5d8df3e09abff40390f68a1f81dacccfe3f01725
Formbook
bccb5a69386e34c4c94dfe0932180377c333d0d1f0a65b52eb64a0cdc1974556
Formbook
c76a77d2c81deab2fda96cc7cfcd42ca3886522b254ab6fa7448c7db8692e00a
Formbook
c771c0417fcf76bac5cb23d5213338c6c8f8b381f6744a7619feb36edec1dacb
Formbook
d8ae48ff83b31d072c1a9d988660e2a0be125aa9373a4adb1dd807d0fea4ebe5
Formbook
+ 5'376 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210526-y95zzekt6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.info/n7ak/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74ff69d2acffcbe2ed4ad76db8c1025be066170a8cc5b7c7048ea8cdcb155179

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162309/

Comments