MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba
SHA3-384 hash: b1ceda4dd99172bb9cf2fd7bfda31002d501d879057b8995553656f06ddbe5a61cde0ee404d5b62177b2fcd9ba1defa7
SHA1 hash: 5b9594d4dc4c46d5479ed5645ba1aa510e403ec3
MD5 hash: 78be75029064bfcd03eedce61e018d9b
humanhash: bravo-west-four-wyoming
File name:S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:458'752 bytes
First seen:2021-11-04 11:51:46 UTC
Last seen:2021-11-08 07:13:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:fWHYPdNYk2n5aJhpg3byim7u3hGmn1E94ck2r4S21oawYflT:+GMh52rZzy3nO4ce1nf1
Threatray 11'055 similar samples on MalwareBazaar
TLSH T117A4F16736DC9527D56D0EB8A4A122350FB2BF72D617F71F0E54B0E19AB3F9088106B2
File icon (PE):PE icon
dhash icon 60dcdcd4c4d4ccc0 (2 x AveMariaRAT, 1 x Formbook)
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2021-11-04 11:58:17 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/8874f8f9-bfcd-446e-a578-168ba1cce78e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/202302/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.34595.24206.18203.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6183c9650621d706aea9341a/reports/9aea6ac2-640c-443d-a0b5-e81a6298fd14/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dd9f14f-ce37-40d6-9ff4-39201c92947b
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883120
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 515554 Sample: S.K TRADING CO., LTD - INQU... Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 9 other signatures 2->43 10 S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe 3 2->10         started        process3 file4 27 S.K TRADING CO., L...Y DOCUMENTS.exe.log, ASCII 10->27 dropped 13 S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.re-swap.com 16->29 31 www.ccnsv.net 16->31 33 re-swap.com 34.102.136.180, 49824, 80 GOOGLEUS United States 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 wlanext.exe 16->20         started        signatures9 process10 signatures11 45 Self deletion via cmd delete 20->45 47 Modifies the context of a thread in another process (thread injection) 20->47 49 Maps a DLL or memory area into another process 20->49 51 Tries to detect virtualization through RDTSC time measurements 20->51 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-04 07:42:09 UTC
AV detection:
21 of 44 (47.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxjmw3fuifzzigldjsffv3n5it6canl74hegdeslggm6l5hdkg5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1e7da963a847c976589ec16cba08820882e735cdc10d07d78a391e4e63622f28
Formbook
25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
680993e1220c8d918f192ae23c5c01b6357c58ad68b7cc59fa122c09b7b85cdd
Formbook
721c03c3cc73dddfcf27e473fc9d1962dd59b3cc7f7b70cdc17d2d6a049aed8e
Formbook
90661f85c7864f95181eceebf32eafd0b4b166aebdfdf5529edfc3a3dd6c0715
Formbook
98257df783e840e80743c3482da475c0a8b0505b1eef573c4f7c968a9e53cdfb
Formbook
da2458789c338c2719661254515dba2fc92c21ef91a11da3d192a6542ca56814
Formbook
e777d588f24e21fdcc3add6de5b93d5fb498b594a59f03d02b5a7880bc5d5180
Formbook
+ 11'045 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:cnp0 rat spyware stealer trojan
Link:
https://tria.ge/reports/211104-n1qxlsgee3/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ccnsv.net/cnp0/
Unpacked files
SH256 hash:
abd73b8e64ee9675009b91caa2b0914f78d2c94ff0260aef98bffd57e8a5eb34
MD5 hash:
779bc937449a4a9598644f64160b461e
SHA1 hash:
b9cf49a4adbfd6acefad5af05e0aaae4d18f00f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/dafd4424-64b0-4397-bd59-f96ebc15a604/
Parent samples :
da2458789c338c2719661254515dba2fc92c21ef91a11da3d192a6542ca56814
25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf
1e7da963a847c976589ec16cba08820882e735cdc10d07d78a391e4e63622f28
60f929f6d1333f24d1a53d62b81f538e10e12e4e3d8dc2e9481ab06e3355322d
656298047d558e1bc1eb67c63d2af80445d7af3b89f68db20c45ad0d452070a8
97e2308f489be583ecaa74518e3c42be2da1e3f61347b983eed293ce3424a5f7
7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba
d6a8dc15a79bd9360c26def381a088beabf9479b710001a8c1ed8d265a754f92
SH256 hash:
f0f85ecf08bbbbfb70d53a4c22c4abc75e36a6633afe9b0dc6220a4bf1d6a5a7
MD5 hash:
6dc976a3511da8a17f53506372caa22d
SHA1 hash:
f42b6a83e97479547f8ebc91630e43ce67e3ed3d
Link:
https://www.unpac.me/results/dafd4424-64b0-4397-bd59-f96ebc15a604/
SH256 hash:
110a28b39b1e0840684110fa77a580effce50755cb865ce9df566f1fff308d05
MD5 hash:
17d644e87b9923fb2a0ed51e7594d82f
SHA1 hash:
863600e4908ebd4ed26285e210d983d04399e600
Link:
https://www.unpac.me/results/dafd4424-64b0-4397-bd59-f96ebc15a604/
SH256 hash:
7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba
MD5 hash:
78be75029064bfcd03eedce61e018d9b
SHA1 hash:
5b9594d4dc4c46d5479ed5645ba1aa510e403ec3
Link:
https://www.unpac.me/results/dafd4424-64b0-4397-bd59-f96ebc15a604/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/202302/

Comments