MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e
SHA3-384 hash: 3b8cf4d1042f75b924dd05e2724250f983f2ca7f314621a42351bf3d010b52299ad45a9807952908ace318deaac470db
SHA1 hash: e3f6712f4b177aaeafad68dfafee1235e34642a1
MD5 hash: 650b9d8e867e08c9135e3c5d93612f36
humanhash: alabama-sierra-pizza-cup
File name:PO.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:504'320 bytes
First seen:2021-04-07 05:53:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xXKpIV1Fn6OAVo1TyoJSq5Qbxn09z2OjI:B65o1DC909P
Threatray 4'591 similar samples on MalwareBazaar
TLSH 86B4E11E3B917A95D74C8FB3496B18D812F1821B702AF73F68C91BC8CE1675E132A527
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm58.hanmail.net
Sending IP: 203.133.181.17
From: Jaeho Lee <coat8023@daum.net>
Subject: KHE RFQ No. PG6432 PROJECT Reactor/ Heat exchangers/ Materials/Equipment _KOC JURASSIC PRF Algeria
Attachment: PG6432 KHE SHELL-RFQ-Project.cab (contains "PO.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:47:42 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e61a3511-fd1e-4bf7-9bc4-acd97abd7d63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.31962.28213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Changing a file
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a window
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668241
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383053 Sample: PO.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 34 www.riseses.com 2->34 36 www.juli.world 2->36 38 2 other IPs or domains 2->38 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 4 other signatures 2->56 11 PO.exe 15 4 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 11->32 dropped 66 Writes to foreign memory regions 11->66 68 Allocates memory in foreign processes 11->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->70 72 Injects a PE file into a foreign processes 11->72 15 AddInProcess32.exe 11->15         started        signatures6 process7 signatures8 74 Modifies the context of a thread in another process (thread injection) 15->74 76 Maps a DLL or memory area into another process 15->76 78 Sample uses process hollowing technique 15->78 80 2 other signatures 15->80 18 explorer.exe 15->18 injected process9 dnsIp10 40 boxj66.com 212.95.146.158, 80 DDOSING-BGP-NETWORKUS Hong Kong 18->40 42 www.wholesaletreenursery.com 18->42 44 2 other IPs or domains 18->44 58 System process connects to network (likely due to code injection or exploit) 18->58 22 cscript.exe 12 18->22         started        signatures11 process12 dnsIp13 46 www.boxj66.com 22->46 48 boxj66.com 22->48 60 Modifies the context of a thread in another process (thread injection) 22->60 62 Maps a DLL or memory area into another process 22->62 64 Tries to detect virtualization through RDTSC time measurements 22->64 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 05:54:07 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqrv5rh6zerdtp2tzpqy423jr4ymumgqoybmyer5z53nokf76qpa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b1837b1504714c306a023b8488d15e81b939b6394ff511fb619fa38f264622a
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10
Formbook
59a6f0a402a4172f893c1747b51c7e1a7d6092fe091e1a9497067849efb5eec2
Formbook
8160be86cfef6146d2b7aad72e89cfe0a7cb7e11514107782d8cf7a372ea6c48
Formbook
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
Formbook
9cf07e6cbf0321dc63141d5d14b6df920c9c90ee178636def703946324fec78b
Formbook
a3d951fa76fbb0f24540b97767e2d327b9bdb2e6e93721cb3da4ac5370118dbc
Formbook
be21a04e569e33cd679253ccd203ce99370d66a800f911c7b5c8e45b6faae66b
Formbook
bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b
Formbook
+ 4'581 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader agilenet loader rat
Link:
https://tria.ge/reports/210407-esltffpfv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.retro-e-scooter.com/sawc/
Unpacked files
SH256 hash:
94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e
MD5 hash:
650b9d8e867e08c9135e3c5d93612f36
SHA1 hash:
e3f6712f4b177aaeafad68dfafee1235e34642a1
Link:
https://www.unpac.me/results/9e8178dd-f7b2-453d-88e7-0cc0b7b7f618/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab 2ccd14ce326ef6916b4d7daeb220bd498ca46f52c0f4ddd1855f21cd984221cc

Formbook

Executable exe 94235ec4fec92239bf53cbe18e6b698f30ca30d07602cc123dcf76d728bff41e

(this sample)

  
Dropped by
MD5 44a7fe299bb64d278bb22d6256c651e0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132744/
  
Dropped by
SHA256 2ccd14ce326ef6916b4d7daeb220bd498ca46f52c0f4ddd1855f21cd984221cc

Comments