MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9afbedb7d1a76e7bd59441e83ec3124af0e16244870e61743cd590a64513c0c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9afbedb7d1a76e7bd59441e83ec3124af0e16244870e61743cd590a64513c0c1
SHA3-384 hash: a0e717c338a87ba1730b0b2eee4671a014843fb1fac8eb933d2c0f8fd27ba87ea730b04b0ee2da187cd4fe617199b4f4
SHA1 hash: 0be26a25eca578b3af468ce0920c5c1f88c9ef35
MD5 hash: 30a2187ec67c41fa1e77a7068e745e9c
humanhash: hamper-fourteen-papa-mexico
File name:Info.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'038'848 bytes
First seen:2021-03-16 13:56:08 UTC
Last seen:2021-03-16 15:37:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:G/3T6Q86POa6x0d90HssylB28kXL26+6O0j7VY1:g3THEd22NLl+6O0jJM
Threatray 4'182 similar samples on MalwareBazaar
TLSH E8257A22E694AA70F03C73754531133183FDAD42A622EABD7E9971CD18B56C146F3EB2
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.steelpipeskzn.com
Sending IP: 89.45.4.134
From: DHL EXPRESS INC <srp@rolberman.pw>
Subject: Delayed DHL Shipment Reciept
Attachment: Info.xz (contains "Info.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Info.exe
Verdict:
No threats detected
Analysis date:
2021-03-16 13:58:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/90ac05d4-89a8-4ba7-a486-2db59005fef2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19677.25248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f0499e3-66f1-47c0-abd4-50376aebf2c5
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640781
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369364 Sample: Info.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 36 www.tritham5s.online 2->36 38 ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com 2->38 40 dns.ladipage.vn 2->40 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 5 other signatures 2->54 11 Info.exe 3 2->11         started        signatures3 process4 signatures5 58 Writes to foreign memory regions 11->58 60 Allocates memory in foreign processes 11->60 62 Injects a PE file into a foreign processes 11->62 14 RegSvcs.exe 11->14         started        17 RegSvcs.exe 11->17         started        19 RegSvcs.exe 11->19         started        21 RegSvcs.exe 11->21         started        process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 23 explorer.exe 14->23 injected 78 Tries to detect virtualization through RDTSC time measurements 17->78 process8 dnsIp9 42 www.ayaancash.com 103.6.168.114, 49724, 80 IPTPNL Gibraltar 23->42 44 www.scammedabroad.com 23->44 46 4 other IPs or domains 23->46 56 System process connects to network (likely due to code injection or exploit) 23->56 27 msdt.exe 23->27         started        30 autofmt.exe 23->30         started        signatures10 process11 signatures12 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66 68 Tries to detect virtualization through RDTSC time measurements 27->68 32 cmd.exe 1 27->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9afbedb7d1a76e7bd59441e83ec3124af0e16244870e61743cd590a64513c0c1/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 13:57:05 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tl563n6ru5xhxvmuihud5qysjlyocyseq4hgc5b42wikmritydaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
220f3d2b4e15b67592dc527153c3b7107d1465ef90339b8c00c0db2f9cc245fc
Formbook
38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Formbook
4219d83b725625bc780dbf37cb794fb68b289697d37372ba44a496af27bc7827
Formbook
5bbf0eea1cd9e3b88c256c635e55f41d220107aebed5e8f64aff95311ab2e431
Formbook
5e03e3c0687c08d09b2a00cbd68c0965fb690d3d9cf1d3aa4bf48725f56ce0e0
Formbook
703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6
Formbook
8955c9bf9356b9ffa1823e1ef44c4232ea516130f4ccca9d3ea995702aaee6e6
Formbook
de1c4a327916e1a5b5d900b4eba280a2ea8455390e3e5e4e4266e2d2aa11d681
Formbook
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
Formbook
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f
Formbook
+ 4'172 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210316-e3r7dgscrn/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sakkerhet.com/l80/
Unpacked files
SH256 hash:
2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655
MD5 hash:
b7159eb14fe565d4e233604b629bbd8a
SHA1 hash:
64f82c67e6c7cbc078141162a49bffcee3d9ebb9
Link:
https://www.unpac.me/results/30da42fe-c282-4519-a80c-20a2fac9e31d/
SH256 hash:
9afbedb7d1a76e7bd59441e83ec3124af0e16244870e61743cd590a64513c0c1
MD5 hash:
30a2187ec67c41fa1e77a7068e745e9c
SHA1 hash:
0be26a25eca578b3af468ce0920c5c1f88c9ef35
Link:
https://www.unpac.me/results/30da42fe-c282-4519-a80c-20a2fac9e31d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/9afbedb7d1a76e7bd59441e83ec3124af0e16244870e61743cd590a64513c0c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

dfbc4051e16d1f55e44cf955f72c342e

Formbook

Executable exe 9afbedb7d1a76e7bd59441e83ec3124af0e16244870e61743cd590a64513c0c1

(this sample)

  
Dropped by
MD5 dfbc4051e16d1f55e44cf955f72c342e
  
Delivery method
Distributed via e-mail attachment

Comments