MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b7f56e3205d471169726432371e18b52971cf2f3eb01702429c741308b28fa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b7f56e3205d471169726432371e18b52971cf2f3eb01702429c741308b28fa7
SHA3-384 hash: 300e63eb0456de6219e7d743c1111871ef7791f43c3254c43bfa405e1e2710ea2498937b152b1f0c5c7b751827969005
SHA1 hash: ea5ad32b577a7f56f2c36055cbf793faa2af4789
MD5 hash: c371ed0c8ac27ae1b0efcecc55854f98
humanhash: lion-sixteen-cat-comet
File name:PO61120.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:955'392 bytes
First seen:2020-11-06 17:30:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 67d5442479fc433a7a577857b1e9e4b4 (3 x AZORult, 2 x Formbook, 1 x HawkEye)
ssdeep 12288:qKPlASZJsfVFsBW1CCyfKy77T5EVq9BJE8tmbK10areQ4UaGkxZ+yB44nLqCQ:FPOSyVFfCCBy77TdpTtmWBrvhKyyB44
Threatray 2'886 similar samples on MalwareBazaar
TLSH CD159F23F1A15C37C43326398C1B57A76E26BE102A2CD98EEBFD5D0C5F396817925293
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.ideeseet.com
Sending IP: 45.145.185.5
From: Jimco Racing Inc<purchase@jimcoracing.com>
Subject: PO no. 238275 Jimco Racing S.K
Attachment: PO61120.zip (contains "PO61120.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.19927.29027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523545
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 310873 Sample: PO61120.exe Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 34 www.trickynic.com 2->34 36 trickynic.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 4 other signatures 2->46 11 PO61120.exe 2->11         started        signatures3 process4 signatures5 54 Detected unpacking (changes PE section rights) 11->54 56 Maps a DLL or memory area into another process 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 60 Contains functionality to detect sleep reduction / modifications 11->60 14 PO61120.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.fastqualityreporting.com 217.160.231.79, 49737, 80 ONEANDONE-ASBrauerstrasse48DE Germany 17->28 30 www.ziperr.com 204.11.56.48, 49738, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 17->30 32 www.savvy-gina.com 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b7f56e3205d471169726432371e18b52971cf2f3eb01702429c741308b28fa7/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 13:28:53 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tn7vnyzalvdrc2lsmqzdohqywuuxdtzph2yboasctr2bgcfsr6tq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd
Formbook
2ca6ec7b8f70c8d16ad384a61e4c1cbb9ec02bd51e21648aa5f6af3fd40abd92
Formbook
3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150
Formbook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
a244a77f990bdec5f4f81d605990749206b6e5827e4bc140b9b4b2fbfdb0bb12
Formbook
c41015f034cca2ff33ce96e08ddb477a92a3fff678bd8e78a78d96bf69e613f1
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
+ 2'876 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201106-mk3g78zcvx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.highimpactinnovations.com/y6u/
Unpacked files
SH256 hash:
9b7f56e3205d471169726432371e18b52971cf2f3eb01702429c741308b28fa7
MD5 hash:
c371ed0c8ac27ae1b0efcecc55854f98
SHA1 hash:
ea5ad32b577a7f56f2c36055cbf793faa2af4789
Link:
https://www.unpac.me/results/ea33118d-60d3-43e5-bebf-93841ca0a786/
SH256 hash:
f6fd7a81145888f1b75adedf1ae4b8a1ecdb6313b7bc221cb32ba7217683dc54
MD5 hash:
3862cdc272b09f0089f27a0dbc945d6b
SHA1 hash:
3c4b0d0996eb05eef040675edbe0f29815578b6b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea33118d-60d3-43e5-bebf-93841ca0a786/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip db50810233c511c75efda7d43427f0b07d43e90dfc6a661861807078d0faad43

Formbook

Executable exe 9b7f56e3205d471169726432371e18b52971cf2f3eb01702429c741308b28fa7

(this sample)

  
Dropped by
MD5 1a8c076c4e1fa7698a7c10a7067445ab
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 db50810233c511c75efda7d43427f0b07d43e90dfc6a661861807078d0faad43

Comments