MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432
SHA3-384 hash: b3602f9b750b0f957a02304c3617aa47baaee052a72379bf62bfd879785e7f051c8c08fff4840d4eecd14daa0be0991b
SHA1 hash: f4f4fec57c1ee378dc7765fa92dcf09e95a3d836
MD5 hash: 71cf36d3dfaa709a235af6f2547d7382
humanhash: fish-blue-cold-nebraska
File name:IMG30122020.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:442'368 bytes
First seen:2020-12-30 09:22:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PNoehAOgQCeYJFWpQ//vcF2c4Otve1gExBV:PitOgQCjJL//00Sea6b
Threatray 3'245 similar samples on MalwareBazaar
TLSH 0694236CC355451ECFAAC37C8C1945446A7EE3AAA4D3E1FF3A0D89B969233423B41D87
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: web.minetdoo.com
Sending IP: 138.201.139.226
From: Zoran Stanković <zstankovic@optimum.rs>
Subject: Fwd: orders schedule - Jan 2021
Attachment: IMG30122020.rar (contains "IMG30122020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG30122020.exe
Verdict:
No threats detected
Analysis date:
2020-12-30 09:51:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1657b76e-dbfa-4703-b03f-761e3369125b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109885/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.41837.27766.19372.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/571987
Signature
.NET source code contains potential unpacker
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335063 Sample: IMG30122020.exe Startdate: 30/12/2020 Architecture: WINDOWS Score: 100 36 www.mycomputercabana.com 2->36 38 www.microroboticuser.com 2->38 40 mycomputercabana.com 2->40 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 5 other signatures 2->54 11 IMG30122020.exe 3 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\IMG30122020.exe.log, ASCII 11->34 dropped 64 Writes to foreign memory regions 11->64 66 Allocates memory in foreign processes 11->66 68 Sample uses process hollowing technique 11->68 70 3 other signatures 11->70 15 vbc.exe 11->15         started        18 WerFault.exe 20 9 11->18         started        signatures6 process7 file8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 2 other signatures 15->78 21 explorer.exe 15->21 injected 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->32 dropped signatures9 process10 dnsIp11 42 www.charlespyke.com 156.235.209.86, 49760, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 21->42 44 www.askalliancehealthcare.net 172.67.209.249, 49759, 80 CLOUDFLARENETUS United States 21->44 46 2 other IPs or domains 21->46 56 System process connects to network (likely due to code injection or exploit) 21->56 25 svchost.exe 21->25         started        signatures12 process13 signatures14 58 Modifies the context of a thread in another process (thread injection) 25->58 60 Maps a DLL or memory area into another process 25->60 62 Tries to detect virtualization through RDTSC time measurements 25->62 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-12-30 09:23:05 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkchui5cibyxea25l3vx7yirpscrwkkh4ez4dsr2enrjhzp4kqza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
21c88bab09fd103fd1479524503789677b0a7822eb10468c20b4fba58a952490
Formbook
2e7e018ee5838bf8450f343923ba4ce6c1282ed1b727fc4ab5cbe69b6204fca2
Formbook
435c72e11302f932b44c88d26c8b7f9dd3f803cfe746dd508fe5ef25218c6477
Formbook
6d923f02c2252e4a2ea98a8685fc5237354e2853791855f1a451a390dd85cbb9
Formbook
88e0177e24ad6459ee60566c46b15140c9b64ce8a59abfb6011810514d1ac79a
Formbook
b28f4495e2cda5a5fef0408701a136d820c7cf2e7a45dd101e70b31458e31530
Formbook
bc1a39fab39f372baddb7b2b12553e4c687a099d605892704daefdae5ed4995f
Formbook
da5e4f1f4945b3d49a38123f8c80ac861b5ab7720efec6dc194a1e6dbec0fdc2
Formbook
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'235 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201230-kh3nctva2j/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Program crash
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.fecind.com/hrqa/
Unpacked files
SH256 hash:
7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432
MD5 hash:
71cf36d3dfaa709a235af6f2547d7382
SHA1 hash:
f4f4fec57c1ee378dc7765fa92dcf09e95a3d836
Link:
https://www.unpac.me/results/b7d54a24-3629-46c7-9546-962cc66aebc3/
SH256 hash:
c3e3f54f36cdff6c1ab9b6aef015f7d96732134316c47736af97a810c41dfdbc
MD5 hash:
cad589bd923cfe70e9ddeadbd47b376c
SHA1 hash:
dd61cabb7b3c4ff92e4693f938a5c962035ac55f
Link:
https://www.unpac.me/results/b7d54a24-3629-46c7-9546-962cc66aebc3/
SH256 hash:
2cd541bbcced032266b92314703ced4dbccdda41791fab4cc708f2a1d0c081bb
MD5 hash:
1bc45ad0412ff2e327cd747e61137955
SHA1 hash:
25d4ec6189190019d9c9e39a8a85fa72408365ea
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b7d54a24-3629-46c7-9546-962cc66aebc3/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 6e77717ab252bd11ee2cf0842b72e189ca08f627c92434c4381e3b23bf50f1dc

Formbook

Executable exe 7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432

(this sample)

  
Dropped by
MD5 0a3b87520a1ad39ea3c872be48552843
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6e77717ab252bd11ee2cf0842b72e189ca08f627c92434c4381e3b23bf50f1dc
Cape
Cape
https://www.capesandbox.com/analysis/109885/

Comments