MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
SHA3-384 hash: fd1e256b5f70f7a28939d1f51326cc70ddd6c391a8b36ae41d01fa732711b040c9b9c3e4dfa48829594f6f61a9221b0f
SHA1 hash: 77495e6abe72f343ceb9c02afe26a3fee4c9f24f
MD5 hash: 1c4d48a7663633e0cf2f80d11dc3c715
humanhash: north-idaho-thirteen-leopard
File name:SOA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:857'600 bytes
First seen:2020-10-18 10:51:16 UTC
Last seen:2020-10-18 12:14:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 335145da1c22af20a3083207481af019 (1 x Formbook)
ssdeep 12288:duMmpnlfockVKfGUpX9c/2MNgNk6rxyMpsX28WOOZHbDF7CYdb:d5Ol3kVKnjMm3rxyIsmMORDF7CYdb
Threatray 2'509 similar samples on MalwareBazaar
TLSH 24059E22A2B14EF3C1231E7D9C2B5764D826FE7D3A2479462BF51C4C5F396903C2A297
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: uzlinshpl01.uzcloud.uz
Sending IP: 185.74.4.8
From: designer@sawaindustry.ae
Subject: New Order//Statement Of Account
Attachment: SOA.gz (contains "SOA.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72640/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Launching the process to change network settings
Setting browser functions hooks
Possible injection to a system process
Forced shutdown of a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494621
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299760 Sample: SOA.exe Startdate: 18/10/2020 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 6 other signatures 2->91 14 SOA.exe 2->14         started        process3 signatures4 117 Detected unpacking (changes PE section rights) 14->117 119 Maps a DLL or memory area into another process 14->119 121 Tries to detect virtualization through RDTSC time measurements 14->121 123 Contains functionality to detect sleep reduction / modifications 14->123 17 SOA.exe 14->17         started        19 SOA.exe 14->19         started        process5 signatures6 22 SOA.exe 17->22         started        93 Modifies the context of a thread in another process (thread injection) 19->93 95 Maps a DLL or memory area into another process 19->95 97 Sample uses process hollowing technique 19->97 99 Queues an APC in another process (thread injection) 19->99 25 explorer.exe 19->25 injected process7 dnsIp8 103 Maps a DLL or memory area into another process 22->103 28 SOA.exe 22->28         started        30 SOA.exe 22->30         started        67 www.jur03.com 23.107.38.13, 49761, 80 LEASEWEB-USA-LAX-11US United States 25->67 69 strongorganiccoffee.com 34.102.136.180, 49769, 49770, 80 GOOGLEUS United States 25->69 71 5 other IPs or domains 25->71 105 System process connects to network (likely due to code injection or exploit) 25->105 33 netsh.exe 25->33         started        35 colorcpl.exe 25->35         started        37 control.exe 25->37         started        39 2 other processes 25->39 signatures9 process10 signatures11 41 SOA.exe 28->41         started        125 Sample uses process hollowing technique 30->125 127 Modifies the context of a thread in another process (thread injection) 33->127 129 Maps a DLL or memory area into another process 33->129 131 Tries to detect virtualization through RDTSC time measurements 33->131 44 cmd.exe 1 33->44         started        process12 signatures13 107 Maps a DLL or memory area into another process 41->107 46 SOA.exe 41->46         started        48 SOA.exe 41->48         started        51 conhost.exe 44->51         started        process14 signatures15 53 SOA.exe 46->53         started        73 Modifies the context of a thread in another process (thread injection) 48->73 75 Maps a DLL or memory area into another process 48->75 77 Sample uses process hollowing technique 48->77 process16 signatures17 101 Maps a DLL or memory area into another process 53->101 56 SOA.exe 53->56         started        58 SOA.exe 53->58         started        process18 signatures19 61 SOA.exe 56->61         started        109 Modifies the context of a thread in another process (thread injection) 58->109 111 Maps a DLL or memory area into another process 58->111 113 Sample uses process hollowing technique 58->113 process20 signatures21 115 Maps a DLL or memory area into another process 61->115 64 SOA.exe 61->64         started        process22 signatures23 79 Modifies the context of a thread in another process (thread injection) 64->79 81 Maps a DLL or memory area into another process 64->81 83 Sample uses process hollowing technique 64->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda/
Threat name:
Win32.Trojan.LokibotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 07:27:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rx2xkiax27yihxnnmk4eepvhccoigdn43sr774hoplxi2fe733na._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
1e099b3ffd5c33889e0e3c3dda64554300169b3802dcaabc8da9a8d35d126b31
Formbook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
Formbook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
Formbook
7346b3b5523c501e13b4ad1e8ebd685711bc168135f818685b9937d19304883b
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
Formbook
bfae046475f1458c460cf4eed534a48c8e769fbfc622138170c3945a4ad61a90
Formbook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
+ 2'499 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201018-a6mb2agt3j/
Behaviour
Enumerates system info in registry
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.strongorganiccoffee.com/e9m/
Unpacked files
SH256 hash:
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
MD5 hash:
1c4d48a7663633e0cf2f80d11dc3c715
SHA1 hash:
77495e6abe72f343ceb9c02afe26a3fee4c9f24f
Link:
https://www.unpac.me/results/601eb4f9-036f-4966-8222-da46767b78a8/
SH256 hash:
3ffbc72cd77a25f451c560ada0a757f7234977533f3fe1223e9e99df603c480e
MD5 hash:
78b7c4cf24404deacea9c4ec64a79aab
SHA1 hash:
b636e38b4b83703ade7f8e699f99e6959880fb5c
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/601eb4f9-036f-4966-8222-da46767b78a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz f33ce427c9f06d136e5d57206dc4ff244219ab6cd10304a84ef6abc22078fe14

Formbook

Executable exe 8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda

(this sample)

  
Dropped by
MD5 d586d25e4affda3039b628b6c338ff59
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72640/
  
Dropped by
SHA256 f33ce427c9f06d136e5d57206dc4ff244219ab6cd10304a84ef6abc22078fe14

Comments