MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d
SHA3-384 hash: c08fc9fc5bd24107a6a732218efb82383e59c94ba58af6bab16b1a96d8c5c63b7b2f8703369721c8183e2ff3e1f8fe60
SHA1 hash: c6a77a17799d78af8ff257f7532b29ff3ca0adb6
MD5 hash: 29f458145062f817b0511602f180f653
humanhash: xray-september-alpha-west
File name:moses.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:570'535 bytes
First seen:2020-11-18 12:35:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:WanuSFASUiNJkZ6sQkuYwJTKTW/y9YpS1/y2Ef2DemD8o7sQdPaXAJ:ECdJkZ6sQkuY+TKTW/yWE/of83lsIh
Threatray 3'244 similar samples on MalwareBazaar
TLSH 60C42359AA91ECFECA2609F42831B94743FB6B8814905A6517543B7FBCF2C779C2C087
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail.jetmails.online
Sending IP: 160.251.10.171
From: Kwon Cheolsang <admin@jetmails.online>
Subject: re:re: new order
Attachment: New order.zip (contains "moses.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541118
Signature
Creates executable files without a name
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319662 Sample: moses.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 41 www.hiperceramica.com 2->41 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 2 other signatures 2->63 11 moses.exe 65 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\DrongoAccord.dll, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\Temp\...\.dll, GIF 11->35 dropped 37 C:\Users\user\AppData\...\vswebdesignedui.dll, PE32 11->37 dropped 39 8 other files (none is malicious) 11->39 dropped 73 Creates executable files without a name 11->73 15 rundll32.exe 11->15         started        signatures6 process7 signatures8 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->75 77 Hijacks the control flow in another process 15->77 79 Maps a DLL or memory area into another process 15->79 18 cmd.exe 15->18         started        process9 signatures10 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->49 51 Modifies the context of a thread in another process (thread injection) 18->51 53 Maps a DLL or memory area into another process 18->53 55 3 other signatures 18->55 21 msiexec.exe 18->21         started        24 explorer.exe 18->24 injected process11 dnsIp12 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Tries to detect virtualization through RDTSC time measurements 21->69 27 cmd.exe 1 21->27         started        43 www.sulehome.com 154.214.81.76, 49702, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 24->43 45 xiaopoplar.xyz 148.66.138.196, 49703, 80 AS-26496-GO-DADDY-COM-LLCUS Singapore 24->45 47 www.xiaopoplar.xyz 24->47 71 System process connects to network (likely due to code injection or exploit) 24->71 29 autochk.exe 24->29         started        signatures13 process14 process15 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d/
Threat name:
Win32.Trojan.Delikle
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:21:44 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxvkxbyr32f6zsgcmjnzbwpuj5owyucqlkettx6dkkfnvwsj5vgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2cc0ceea32e11e6a3e25097f9628105a81d641a7333e1e15678fac797f4e7abe
Formbook
414578aa9e1ab74c43ae636f64758a5a2dd59ab81619aa054de1fb6c9140f2e6
Formbook
5806ff817e0b0c3c57e727b04c77411487179c3676150f3f1cf536d3fac33fa5
Formbook
681b37be0d24067f1cb3b29fa998c9ff305841c53a686ac68c295f0784abf40e
Formbook
6847d25820be1a4d252df58d3652e103f33af5a43f12febeae71ac66385b0380
Formbook
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
deee3ad263c3947b20580cce3310c53219217e21588479e7152eda86b9f6f08e
Formbook
e66a524df69a19ea2fc31787e557c8738473af8e4dc7e5ca87619910b3f0a121
Formbook
ebd88634ecfbdc7e88bca32a0b22fa35e24c9feb309799128f3d12d2cceac224
Formbook
+ 3'234 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201118-37xvtbe3zj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.lightmeets.com/c237/
Unpacked files
SH256 hash:
95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d
MD5 hash:
29f458145062f817b0511602f180f653
SHA1 hash:
c6a77a17799d78af8ff257f7532b29ff3ca0adb6
Link:
https://www.unpac.me/results/cd597d4a-fd81-4ddd-b26e-5267b6d55bb4/
SH256 hash:
12d49d8875b05bc79097828a718dae2b768b34dd3e2cd9873bfe2c6171dc96fb
MD5 hash:
3734ebecc7faab617a8f4d91e535b37d
SHA1 hash:
ca15cdc5b70a91ff63f2f0777865145eebbeeb21
Link:
https://www.unpac.me/results/cd597d4a-fd81-4ddd-b26e-5267b6d55bb4/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip cec55b9a7ef4de3b8cc4e707d18ce45b937690fbcd16af321c0f3deaf2bbb98e

Formbook

Executable exe 95eaab8711de8becc8c2625b90d9f44f5d6c50505a8939dfc3528adada49ed4d

(this sample)

  
Dropped by
MD5 3695739759e9c24cb69a0128f82e8759
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cec55b9a7ef4de3b8cc4e707d18ce45b937690fbcd16af321c0f3deaf2bbb98e

Comments