MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24
SHA3-384 hash: ed0cc4b1c776d47ce2a12611bc56947266ccc2db58728e669f0dffbc388472d914f7527531cf7fe97c4910da7dea9aa6
SHA1 hash: dea526f0eea126aaed0c645dc45ddd1d9b3a1a0f
MD5 hash: 4093e1d11b616d870c6e6176b8058d77
humanhash: alanine-violet-high-yellow
File name:aQnaI0DXH8l8WfB.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:788'992 bytes
First seen:2021-03-01 07:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:xdj4Xjfs8wzBt55cidzGlRY1LaaGp1YTqmPw2BbCxlTruy+1b1EAJ0DvjSS9ssJ8:xdj4od/5nxSy5a6FBbcRHSFILFRCd
Threatray 4'014 similar samples on MalwareBazaar
TLSH 84F4F62020BD644EC0337AF31AE9851FA3992F59511FE50F30B2B6975DB2B426787F1A
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic303-19.consmr.mail.ir2.yahoo.com
Sending IP: 77.238.178.200
From: martin palmkvist <martin.palmkvist9byggtill@yahoo.se>
Subject: : Fwd: Wire Transfer Payment
Attachment: QI0DXH8l8W.rar (contains "aQnaI0DXH8l8WfB.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aQnaI0DXH8l8WfB.exe
Verdict:
Malicious activity
Analysis date:
2021-03-01 08:10:44 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/bfa9af10-82d6-43be-a625-e99f0ae3b0d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120132/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621876
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359928 Sample: aQnaI0DXH8l8WfB.exe Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 31 www.trump2020shop.net 2->31 33 shops.myshopify.com 2->33 35 2 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 11 aQnaI0DXH8l8WfB.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\aQnaI0DXH8l8WfB.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 aQnaI0DXH8l8WfB.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.besteprobioticakopen.online 94.23.162.163, 49762, 80 OVHFR France 18->37 39 rhemachurch4u.com 34.102.136.180, 49761, 49769, 49770 GOOGLEUS United States 18->39 41 15 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 05:22:15 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q642ktqfzlpmnjv2s6riyhpcwwnupgd5zlchqeqd3rebdmwthysa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
Formbook
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
Formbook
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
17adca833d9ccaf731ac41830d08db7b447ff391ce54052532d4d90fb4594a40
Formbook
2b9cc84b89000fae34b2808cfbc40c76a0f9f40f02aad848c3789b2fc347ccf0
Formbook
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
Formbook
86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0
Formbook
c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
Formbook
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
Formbook
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
Formbook
+ 4'004 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210301-yc6rsj3m5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.besteprobioticakopen.online/uszn/
Unpacked files
SH256 hash:
1820c232000eaca2b342006581d1e0743ff2166f57f917b8691901867e7ad3e0
MD5 hash:
cc0ba93bd12ee998cacab013043ff2c6
SHA1 hash:
c5ca7761965d1eedceaab08eb3bc06963292bd87
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/1d7c67b0-bc04-41cb-8ee4-5717f2f40d08/
Parent samples :
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
17adca833d9ccaf731ac41830d08db7b447ff391ce54052532d4d90fb4594a40
c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24
ddaa3b6f19f3e7b9a6e8ebe8188ceea0d1bb0c285a0b2d783c8d0cc7005e37a6
SH256 hash:
a8a3f4024b4dd13a5176a05e22df9a3bb45d7b0341a1197aab5c73d8ff144133
MD5 hash:
ae60753e8583ca028b21bc63437259ee
SHA1 hash:
efbe7476561e79f9631ed4fbe2fd470762f9a174
Link:
https://www.unpac.me/results/1d7c67b0-bc04-41cb-8ee4-5717f2f40d08/
SH256 hash:
f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027
MD5 hash:
d66f89bf838fb52ed59d311a99aea214
SHA1 hash:
342525c4aabbb92abf51459081d34ed0f1cdc965
Link:
https://www.unpac.me/results/1d7c67b0-bc04-41cb-8ee4-5717f2f40d08/
SH256 hash:
87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24
MD5 hash:
4093e1d11b616d870c6e6176b8058d77
SHA1 hash:
dea526f0eea126aaed0c645dc45ddd1d9b3a1a0f
Link:
https://www.unpac.me/results/1d7c67b0-bc04-41cb-8ee4-5717f2f40d08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b9fd15e85d0dacada609ac5e5635cd8714200e9f539b1f9df4750ba4f3586654

Formbook

Executable exe 87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24

(this sample)

  
Dropped by
MD5 8b971dc4876ae5a49d953f6bb8a38d87
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120132/
  
Dropped by
SHA256 b9fd15e85d0dacada609ac5e5635cd8714200e9f539b1f9df4750ba4f3586654

Comments