MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87cff75cb9c14763d12379d4f990b5c852756d0ccfb6cfb279c7eb60a63c5e69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87cff75cb9c14763d12379d4f990b5c852756d0ccfb6cfb279c7eb60a63c5e69
SHA3-384 hash: ec0d758cfd7b193b752f0f53ccea1e807f290900d848ac1263207bec71ff34c6bfa075235a6a6a9483ba52d4195c216a
SHA1 hash: 83095207075470cfdfabf38750280c7095416fee
MD5 hash: 822542f022ca16a6c70a20b0d1b817e3
humanhash: salami-football-fanta-neptune
File name:Purchase Orders.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:424'448 bytes
First seen:2021-04-04 16:50:30 UTC
Last seen:2021-04-05 13:20:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QPY2y7iw34YyNuqyBsLWDRNb4OnCoCUk:/2yiwsNuPtfbM2k
Threatray 4'505 similar samples on MalwareBazaar
TLSH 7B94E0A0B305DBA9C5A947F78123A50383B6F4EE7813EFA24E9D51C52429B0C5CE9DD3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: europrovoli.eu
Sending IP: 103.99.1.141
From: info@europrovoli.eu
Subject: Re;Purchase Orders
Attachment: Purchase Orders.rar (contains "Purchase Orders.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Orders.exe
Verdict:
Malicious activity
Analysis date:
2021-04-04 16:51:44 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/122a2344-d8c2-4ca6-a114-59b339899cf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132105/
Detection(s):
SecuriteInfo.com.Artemis822542F022CA.21496.30732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/850a4b3a-a24a-45d8-93fe-ceb1f82047b6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665633
Signature
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381744 Sample: Purchase Orders.exe Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 13 other signatures 2->54 10 Purchase Orders.exe 6 2->10         started        process3 file4 32 C:\Users\user\AppData\...\qeAPlQnTzbXbYs.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmp4669.tmp, XML 10->34 dropped 36 C:\Users\user\...\Purchase Orders.exe.log, ASCII 10->36 dropped 13 RegSvcs.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 64 Modifies the context of a thread in another process (thread injection) 13->64 66 Maps a DLL or memory area into another process 13->66 68 Sample uses process hollowing technique 13->68 70 2 other signatures 13->70 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process7 dnsIp8 38 philliprobertdowell.com 162.241.127.8, 49757, 80 UNIFIEDLAYER-AS-1US United States 18->38 40 www.moodwinner.com 185.151.30.171, 49759, 80 TWENTYIGB United Kingdom 18->40 42 11 other IPs or domains 18->42 56 System process connects to network (likely due to code injection or exploit) 18->56 24 cmd.exe 12 18->24         started        signatures9 process10 dnsIp11 44 www.wildnstyle.com 24->44 46 wildnstyle.com 24->46 58 Modifies the context of a thread in another process (thread injection) 24->58 60 Maps a DLL or memory area into another process 24->60 62 Tries to detect virtualization through RDTSC time measurements 24->62 28 cmd.exe 1 24->28         started        signatures12 process13 process14 30 conhost.exe 28->30         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 15:28:10 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7h7oxfzyfdwhujdphkptefvzbjhk3imz63m7mtzy7vwbjr4lzuq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3755206dc18df104854e076d74799c1d83d6cb6acb22a7aa22ec595c56e31abc
Formbook
441a0a46bcdfdee8c8b6761798e75a65204eac43b47547557604f80f26b87e95
Formbook
52690c7636360e992167853a0f96c3c0622c65218d60274a21f02e7d07add66d
Formbook
5e7b6e81d3f73322d73bf013d67f76e211f0e539296e00a53d93585b0c167ba2
Formbook
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
Formbook
8a79757beaf2ff4bf07fd6410a16358874d8e6725810c8141d47ff2365321a2e
Formbook
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
Formbook
a514741f5e99ded17c767b1159e98f86ae0b918fcff56f53d365e4744104f457
Formbook
c935e13396041731908b9fbb5c4e74c38b9f374eb9a47d419038ac539008c94c
Formbook
de3c81ef7e59a386f6572d4c095739d45493d90b03c348748200012ec165372f
Formbook
+ 4'495 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat
Link:
https://tria.ge/reports/210404-7dxpdgxy6n/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.bestleadsfunnel.com/n30n/
Unpacked files
SH256 hash:
77c8cd03a924373a08657bbbe9f0bfc89b00ff118837f75396d729fa1c92182f
MD5 hash:
f7aa41acb292b642ba19084205156d2c
SHA1 hash:
6a6abcb555f148a3c68b316fb8bc65c0ed1e3932
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3de0cb96-a3cf-4420-b474-04ddc184ef45/
Parent samples :
52690c7636360e992167853a0f96c3c0622c65218d60274a21f02e7d07add66d
30a292327e2f65edf2c2cfbd07b60435b1845dbd504b15ad47116ad9d5fb1084
8a79757beaf2ff4bf07fd6410a16358874d8e6725810c8141d47ff2365321a2e
87cff75cb9c14763d12379d4f990b5c852756d0ccfb6cfb279c7eb60a63c5e69
83238525ac7665d9b4119a287e45aa95a04bc971dd46fde4cebffe92d337f425
SH256 hash:
52e8d38a163a6d07ec681b2d97c9a2d3e691b61550e1bd9eae7171ae19da214f
MD5 hash:
d5fc517c5a71fd32bf0abff4666def5b
SHA1 hash:
b596a6c144282518e918e205493f91ec28ec3777
Link:
https://www.unpac.me/results/3de0cb96-a3cf-4420-b474-04ddc184ef45/
SH256 hash:
00707d997b691c28bc51bde5f419d572d8e34bbc0d5ba6dfacd213f2460f6eb6
MD5 hash:
32a4d8ce734c06fe20c3fa793eab13ad
SHA1 hash:
527326cbeb517a6ca062286a63a995bc858b17fe
Link:
https://www.unpac.me/results/3de0cb96-a3cf-4420-b474-04ddc184ef45/
SH256 hash:
87cff75cb9c14763d12379d4f990b5c852756d0ccfb6cfb279c7eb60a63c5e69
MD5 hash:
822542f022ca16a6c70a20b0d1b817e3
SHA1 hash:
83095207075470cfdfabf38750280c7095416fee
Link:
https://www.unpac.me/results/3de0cb96-a3cf-4420-b474-04ddc184ef45/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f7bb9990c59025e56501202f44741861466e60a89d3bfa64b75dce4f4b0153fe

Formbook

Executable exe 87cff75cb9c14763d12379d4f990b5c852756d0ccfb6cfb279c7eb60a63c5e69

(this sample)

  
Dropped by
MD5 cb133736b33be9676d62bcb2c573823c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f7bb9990c59025e56501202f44741861466e60a89d3bfa64b75dce4f4b0153fe
Cape
Cape
https://www.capesandbox.com/analysis/132105/

Comments