MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8999ed496fea2ccadec059acdc62e783aa549c93f301f6fc175d15ecdc2fbb81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8999ed496fea2ccadec059acdc62e783aa549c93f301f6fc175d15ecdc2fbb81
SHA3-384 hash: 9ff162df62841a1a7f6122824a4128ed7ada58bcf4c70e20a4cefe6e39ab1bed662b9ca815670f04b5a4c76887989b9f
SHA1 hash: 7e6f02c100e9733c3da35bce1d26d680f23b3e18
MD5 hash: 0a7e119be75a3f777d38f0c7023faed9
humanhash: sweet-delaware-arkansas-lion
File name:IMG_01670_Scanned.doc
Download: download sample
Signature Formbook
Create hunting rule
File size:1'028'000 bytes
First seen:2021-02-22 12:52:10 UTC
Last seen:Never
File type:Word file doc
MIME type:text/rtf
ssdeep 12288:Byyhw4akbGZKo0/3H08sEHtZy0VcHRosVHxdwmPYCWBqiA8JiA8H:Bw4LBN7HNZBc9xdwYUqQ2
TLSH 0C2508B889CA00A4F39F80207DEFBC6011B7F4DBDECA5D6003BDE5715AA9A532D8594D
Reporter abuse_ch
Tags:doc FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 311.gvuwx.ml
Sending IP: 143.198.16.61
From: kimmon@rclgroup.com
Subject: New order # 01670.
Attachment: IMG_01670_Scanned.doc

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Detection(s):
Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.FakeRTF-2.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.170830.UNOFFICIAL
Create hunting rule

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Result
Verdict:
Malicious
File Type:
Fake RTF File
Link:
https://app.docguard.net/8999ed496fea2ccadec059acdc62e783aa549c93f301f6fc175d15ecdc2fbb81/results/dashboard
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614074
Signature
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a URL shortener service
Contains functionality to capture screen (.Net source)
Document exploit detected (process start blacklist hit)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Powershell downloading file from url shortener site
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Very long command line found
Yara detected Beds Obfuscator
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356051 Sample: IMG_01670_Scanned.doc Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 79 www.hollyspringsedfoundation.com 2->79 81 hollyspringsedfoundation.com 2->81 83 2 other IPs or domains 2->83 101 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 15 other signatures 2->107 12 EXCEL.EXE 2 3 2->12         started        15 EXCEL.EXE 13 3 2->15         started        17 EXCEL.EXE 2->17         started        19 2 other processes 2->19 signatures3 process4 signatures5 133 Suspicious powershell command line found 12->133 135 Very long command line found 12->135 137 Tries to download and execute files (via powershell) 12->137 21 powershell.exe 7 12->21         started        139 Document exploit detected (process start blacklist hit) 15->139 23 powershell.exe 16 7 15->23         started        28 powershell.exe 17->28         started        process6 dnsIp7 30 84675.exe 2 21->30         started        91 blog.srinathenterprises.in 35.200.172.247, 443, 49168, 49169 GOOGLEUS United States 23->91 93 bit.ly 67.199.248.10, 49167, 49170, 80 GOOGLE-PRIVATE-CLOUDUS United States 23->93 77 C:\Users\user\AppData\Local\Temp\84675.exe, PE32 23->77 dropped 123 Powershell drops PE file 23->123 33 84675.exe 2 23->33         started        file8 signatures9 process10 signatures11 141 Injects a PE file into a foreign processes 30->141 35 84675.exe 30->35         started        38 powershell.exe 7 30->38         started        41 84675.exe 30->41         started        43 84675.exe 30->43         started        143 Multi AV Scanner detection for dropped file 33->143 145 Machine Learning detection for dropped file 33->145 147 Tries to detect virtualization through RDTSC time measurements 33->147 45 powershell.exe 7 33->45         started        47 84675.exe 33->47         started        49 84675.exe 33->49         started        51 3 other processes 33->51 process12 file13 109 Modifies the context of a thread in another process (thread injection) 35->109 111 Maps a DLL or memory area into another process 35->111 113 Sample uses process hollowing technique 35->113 115 Queues an APC in another process (thread injection) 35->115 53 explorer.exe 35->53 injected 75 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 38->75 dropped 117 Drops PE files to the startup folder 45->117 119 Powershell drops PE file 45->119 signatures14 process15 dnsIp16 85 www.thetrainertailor.com 109.68.33.25, 49173, 80 GD-EMEA-DC-LD5GB United Kingdom 53->85 87 bilaltahirofficial.com 184.168.131.241, 49174, 49178, 80 AS-26496-GO-DADDY-COM-LLCUS United States 53->87 89 12 other IPs or domains 53->89 121 System process connects to network (likely due to code injection or exploit) 53->121 57 Drivers.exe 53->57         started        60 rundll32.exe 53->60         started        62 help.exe 53->62         started        signatures17 process18 signatures19 125 Injects a PE file into a foreign processes 57->125 64 Drivers.exe 57->64         started        67 powershell.exe 57->67         started        69 Drivers.exe 57->69         started        71 Drivers.exe 57->71         started        127 Modifies the context of a thread in another process (thread injection) 60->127 129 Maps a DLL or memory area into another process 60->129 131 Tries to detect virtualization through RDTSC time measurements 60->131 73 cmd.exe 60->73         started        process20 signatures21 95 Modifies the context of a thread in another process (thread injection) 64->95 97 Maps a DLL or memory area into another process 64->97 99 Sample uses process hollowing technique 64->99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8999ed496fea2ccadec059acdc62e783aa549c93f301f6fc175d15ecdc2fbb81/
Threat name:
Document-RTF.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 12:10:49 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgm62slp5iwmvxwalgwnyyxhqovfjhet6ma7n7axluk6zxbpxoaq._file
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210222-4bla31kwba/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Beds Protector Packer
Xloader Payload
Formbook
Process spawned unexpected child process
Xloader
Malware Config
C2 Extraction:
http://www.unicom-group.com/mt6e/
Dropper Extraction:
http://bit.ly/3duA4tQ
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bloodhound
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8999ed496fea2ccadec059acdc62e783aa549c93f301f6fc175d15ecdc2fbb81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2
Create hunting rule
Author:ditekSHen
Description:detects CVE-2017-8759 weaponized RTF documents.
Rule name:INDICATOR_RTF_MalVer_Objects
Create hunting rule
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Word file doc 8999ed496fea2ccadec059acdc62e783aa549c93f301f6fc175d15ecdc2fbb81

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments