MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 867250c0cf9bf77af6af0886d701bb1ce4045a49a1e8be964b8e5f00de241c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 867250c0cf9bf77af6af0886d701bb1ce4045a49a1e8be964b8e5f00de241c20
SHA3-384 hash: ca77ad4d6ded443a8ca4e5534e27170c1c4ab08c3692a0c152ea61cb65e22ee9e01b3b2cb0ee0dcd95615b3286205387
SHA1 hash: b39152dea0fa9e947750ec81618ba16c8c7ab2af
MD5 hash: 5751c40210b0e6cb13a58eee866d802d
humanhash: rugby-oranges-montana-helium
File name:AWB64353906534INV.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:482'304 bytes
First seen:2020-11-05 08:09:28 UTC
Last seen:2020-11-05 09:35:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8Het1p5ZXyl1IHEFRlcX2A3bs3P/3ax6m:8Het1olyX7g/k6m
Threatray 439 similar samples on MalwareBazaar
TLSH CAA4BF72BD82587ECA6E077140A581F0FAB716C73F508B0F716E470C2E11A5BAB93A57
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host296745.localhost
Sending IP: 158.51.96.61
From: DHL | Express Shipping <info2@dhl.com>
Subject: PRE AWB 6436906534 -899287988 11/4/2020 9:23:27 a.m.
Attachment: AWB64353906534INV.img (contains "AWB64353906534INV.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83097/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.26639.25040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/521032
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/867250c0cf9bf77af6af0886d701bb1ce4045a49a1e8be964b8e5f00de241c20/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 05:34:50 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzzfbqgptp3xv5vpbcdnoan3dtsaiwsjuhul5fslrzpqbxredqqa._file
Verdict:
unknown
Similar samples:
1469f4fc2b5656138640f57204d26e8a956193323d839b8f74350d45e1cdb69b
Formbook
267df514019cdb3d9c9d29ea27726fefc397c0ed5804a91999af97f2d10e070e
Formbook
268a8cd2e1be94fb5124930ed021ef9cda228d8366efef29884f7affc47f936d
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
Formbook
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
Formbook
a7d27c9cca035fac67dadf420c7adcfb2b196b4f2db64d94e13ddb6a9ea1c46a
Formbook
b511fbc6adf655af3e693e7a7081e62f26eacd616273f625a8e9c3568420e1fc
Formbook
cd69ac65237b5e9280395b4faaf70447e6524d99801fdda8dfb62178f24f24b3
Formbook
ff3e2f2fe988d10c72aa056a9220a32e6ed9db7204df93713aa9451682c2c630
Formbook
+ 429 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201105-ae3dw482me/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.porncamslivechat.com/unx5/
Unpacked files
SH256 hash:
867250c0cf9bf77af6af0886d701bb1ce4045a49a1e8be964b8e5f00de241c20
MD5 hash:
5751c40210b0e6cb13a58eee866d802d
SHA1 hash:
b39152dea0fa9e947750ec81618ba16c8c7ab2af
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
SH256 hash:
85149b884607f6bb7317c7fb893b8cabc550422ecd62bd59509a3d5fcf44b56d
MD5 hash:
a5baef204b1c2470b3692ead91645bcc
SHA1 hash:
636c826cd651b6817711353b140d7960731daec5
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
SH256 hash:
a24726606c0006a69e0205b28e8d9cb38ca54ae1d7990e73522bd2345cb74b70
MD5 hash:
074d407ac7815e65a5a26fc2648a2070
SHA1 hash:
1b25a74f9a8e31dad7ec00744d6353d0f4fa3907
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
SH256 hash:
83fc9767ea5332a1ad033ab056b48845ae1eb8d71992b1e8815a30063ca1d969
MD5 hash:
2e6695696d6e06f92582d3ec6a74bd4a
SHA1 hash:
6f94b420735d6e9544e573a130b53319056cc47a
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
SH256 hash:
b7aa6e2efd402ef57346ac59ef1eff54a1416db573928451b25e6cee65837026
MD5 hash:
4d48f99a21fd2227c55c0c059a5ae7a7
SHA1 hash:
c5191b29e493fc7141a9f157f53e16ed1b698704
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
Parent samples :
867250c0cf9bf77af6af0886d701bb1ce4045a49a1e8be964b8e5f00de241c20
f3024d8a77f7d80b8e1f44a868913ad76e926d5add36cdc27332c42c3cc012a3
SH256 hash:
c609c54e179794ad432c635c19ca50a5093b907cf2e072203051e74a81138274
MD5 hash:
c135a3179874296f055bb75864526048
SHA1 hash:
ed6f42b3048ff08e390562c6e579ab9c82a3972c
Link:
https://www.unpac.me/results/2390d865-dfc2-4c20-96c4-b440164c5454/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

661a65c9f2e492c183f1ff4e87d7e8de

Formbook

Executable exe 867250c0cf9bf77af6af0886d701bb1ce4045a49a1e8be964b8e5f00de241c20

(this sample)

  
Dropped by
MD5 661a65c9f2e492c183f1ff4e87d7e8de
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83097/

Comments