MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2
SHA3-384 hash:	fb83f71a5aea750eba6237daab06b12137c279b749d38e6858767ccd00cc1b7a751a85862e51c8a160dbfbbb6a264002
SHA1 hash:	b53d95bcd8d1d46e979946bc0a8b97d29609e281
MD5 hash:	af9cf7166b559f9d7fa55da4adbb78a5
humanhash:	berlin-oxygen-ceiling-lake
File name:	采购订单号4122681.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	210'432 bytes
First seen:	2020-12-29 07:59:58 UTC
Last seen:	2020-12-29 10:11:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	19365ba8f8fd8d9780c2251bbc0dd3a2 (1 x RemcosRAT, 1 x Formbook, 1 x Loki)
ssdeep	3072:17tb3SRvQVaaZdYpL9w6Oz2rgLcs2OH8VT6tOzenL5v7GfQCAnA23aVOfG9NZTrD:pURvIZS/rOzZcv5ISeNv7Gos23M7j
Threatray	3'303 similar samples on MalwareBazaar
TLSH	8124120B89106C72DB82E0F605E173E998B1089956D46D7FEFE0BCA204DF7DFA42945E
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: alnassar.com.sa
Sending IP: 162.244.93.110
From: 杰夫 <jeff@hncomax.com>
Reply-To: jeff@hncomax.com
Subject: 采购订单号4122681
Attachment: 采购订单号4122681.rar (contains "采购订单号4122681.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

采购订单号4122681.exe

Verdict:

Malicious activity

Analysis date:

2020-12-29 08:05:49 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/d5b46067-f38f-4ebc-b7bb-6e8a15c21fe7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/109729/

Detection(s):

SecuriteInfo.com.Variant.Fugrafa.105737.25511.30891.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Sending a UDP request

DNS request

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/571287

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2/

Threat name:

Win32.Backdoor.Remcos

Status:

Malicious

First seen:

2020-12-29 08:00:11 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pkrtppt4f7b5iwuctkv4ybqpq3vmnlst3b4bstgckph3ryrivpza._file

Verdict:

malicious

Label(s):

formbook

Formbook

176b6a4f321a046262569c7e6302f9cd734282399645f8b13538489f5183a617

Formbook

2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92

Formbook

45cf51569314dac91762e5c1f112c4a640595239d553729f10613f9f59403e84

Formbook

52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb

Formbook

805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb

Formbook

adfbe10537f150b8d3e8efa0e2131a4d45d4f80671880a9f729e678c2d7244b5

Formbook

bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71

Formbook

c41015f034cca2ff33ce96e08ddb477a92a3fff678bd8e78a78d96bf69e613f1

Formbook

e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72

Formbook

+ 3'293 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201229-hlkfgx3xs2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.minimalgent.com/heye/

Unpacked files

SH256 hash:

7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2

MD5 hash:

af9cf7166b559f9d7fa55da4adbb78a5

SHA1 hash:

b53d95bcd8d1d46e979946bc0a8b97d29609e281

Link:

https://www.unpac.me/results/f42f81f3-4858-4145-b0ab-468aa89925ee/

SH256 hash:

3fff5f3adf822fb5aa359a0585afaa385ab8671ea4ae37b6f35030542d6bbc03

MD5 hash:

136f83c671c4c3ab33766460012c4fcf

SHA1 hash:

9b8440ebd3dbfc681c2f95918c1f91cb6522b661

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f42f81f3-4858-4145-b0ab-468aa89925ee/

Parent samples :

adfbe10537f150b8d3e8efa0e2131a4d45d4f80671880a9f729e678c2d7244b5
04a2b06549eb2ce73a5405a14ba3dd9e13029665382b31984aa41f36841b28d5
7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2
a6c4cf62dc3f99465080ac5cd48a2f2f1423bb90d3d797ed27905225438d4f35
53878a7b306a51e03f35297ea81e42c7aa079665928f8ca0d1f1732c0da82ffe
76f102f79f2f05a30e4cf14c377ce7e7987fd4937cd7b11190c9c21925d82921

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 5f4ebfa62a41b397df2f9c86198334b32d6b477833b2843b576ce17c3e3b6f66

Formbook

exe 7aa337be7c2fc3d45a829aabcc060f86eac6ae53d878194cc253cfb8e228abf2

(this sample)

Dropped by

MD5 63c113ff403f5d83a737d85f14b7aca8

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5f4ebfa62a41b397df2f9c86198334b32d6b477833b2843b576ce17c3e3b6f66

Cape

https://www.capesandbox.com/analysis/109729/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample