MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
SHA3-384 hash: 769b2e251764a85e450eba661e3cfb5cd257b1ed4c6029c748210aff58c9bc1a13582c4b8507dfde2393afa7412a03df
SHA1 hash: 5d166d7653e340585d672928097b16fb11c35533
MD5 hash: 0469a27bd0ef6dd387ba38e47614cb6c
humanhash: robert-red-angel-mountain
File name:New Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:81'920 bytes
First seen:2020-08-19 09:26:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c8149470224a75976a8a826a88225a14 (13 x GuLoader, 1 x FormBook, 1 x Loki)
ssdeep 768:oz2aKHtQUKUcpIXihRQiQ/Fh9Xt9cI3xg2lEUgM+7JZs4qWe0DPtaaK:3THXKeirQiQ/Fl28hSUI7JtqYDPwT
Threatray 3'429 similar samples on MalwareBazaar
TLSH 69833B5270D48AF6F25D4F795F286FF900EABC30AC99C94365C43E1A3E77A44896432B
Reporter abuse_ch
Tags:exe FormBook Hotwinds


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-760084.hostwindsdns.com
Sending IP: 104.168.145.121
From: info@hemoclan.com
Subject: New Order SELINT SRL P.O
Attachment: New Order.z (contains "New Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48336/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.5845.15366.26838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
FormBook GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437254
Signature
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Yara detected VB6 Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271103 Sample: New Order.exe Startdate: 19/08/2020 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Yara detected GuLoader 2->64 66 Yara detected Generic Dropper 2->66 68 6 other signatures 2->68 12 New Order.exe 1 2 2->12         started        15 wscript.exe 2->15         started        process3 signatures4 94 Creates autostart registry keys with suspicious values (likely registry only malware) 12->94 96 Tries to detect Any.run 12->96 98 Hides threads from debuggers 12->98 17 New Order.exe 4 12->17         started        21 FORSVARSCHEFERS.exe 2 15->21         started        process5 file6 46 C:\Users\user\AppData\...\FORSVARSCHEFERS.exe, PE32 17->46 dropped 48 C:\Users\user\AppData\...\FORSVARSCHEFERS.vbs, ASCII 17->48 dropped 70 Tries to detect Any.run 17->70 72 Hides threads from debuggers 17->72 23 FORSVARSCHEFERS.exe 2 17->23         started        26 FORSVARSCHEFERS.exe 7 21->26         started        signatures7 process8 dnsIp9 80 Tries to detect Any.run 23->80 82 Tries to detect virtualization through RDTSC time measurements 23->82 84 Hides threads from debuggers 23->84 29 FORSVARSCHEFERS.exe 7 23->29         started        54 zqq8qq.by.files.1drv.com 26->54 56 onedrive.live.com 26->56 86 Modifies the context of a thread in another process (thread injection) 26->86 88 Maps a DLL or memory area into another process 26->88 90 Sample uses process hollowing technique 26->90 signatures10 process11 dnsIp12 58 zqq8qq.by.files.1drv.com 29->58 60 onedrive.live.com 29->60 100 Modifies the context of a thread in another process (thread injection) 29->100 102 Tries to detect Any.run 29->102 104 Maps a DLL or memory area into another process 29->104 106 3 other signatures 29->106 33 explorer.exe 29->33 injected signatures13 process14 dnsIp15 50 www.hanmisoga.com 33->50 52 www.eivissa.rocks 33->52 36 netsh.exe 33->36         started        39 cmd.exe 33->39         started        process16 signatures17 74 Modifies the context of a thread in another process (thread injection) 36->74 76 Maps a DLL or memory area into another process 36->76 78 Tries to detect virtualization through RDTSC time measurements 36->78 41 cmd.exe 1 36->41         started        process18 signatures19 92 Tries to detect virtualization through RDTSC time measurements 41->92 44 conhost.exe 41->44         started        process20
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 10:52:12 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tpv5nocabiboynuvrsgpa3j2xrszwrrnjax4uppyuote4qvt4i2a._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
FormBook
0abe72d915f50b2a21fc3cafc52152db81bef2a16be4ccde68e64942bf927af1
FormBook
11e4389a0963c995ed5af62f1a93e53198e880b6f39fc120b60a8d68312e232f
FormBook
330cc7a94a8d40b4588313605d103e425e9a2530bf19e32b6cd61a786a6b8c04
FormBook
51f4e86285f8cb8a14a0d456beed9f15882e4ec7813bc24ff4c20a2389d1ccd0
FormBook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
FormBook
6e85d06aa422cfc42dafe910acf8de96a3224bc6eb8b5af7e7435c0881d7e7e6
FormBook
77168234eb706333e4835666a00a8fd8e110959660c97e5c5528ed3a3d0f5081
FormBook
97e006c5ca29100601289b632e22049f5d8f955c008073fea9791b13cd10849c
FormBook
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
FormBook
+ 3'419 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware persistence trojan stealer family:formbook
Link:
https://tria.ge/reports/200819-dqec212lr6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sandrxy.com/yby/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z 909455781c8a185e0665c8bf3c645887218406396f197df33df2f66221129228

FormBook

Executable exe 9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/435572/
  
Dropped by
MD5 287809bf97df5f4ce63f842a09cac6c6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48336/
  
Dropped by
SHA256 909455781c8a185e0665c8bf3c645887218406396f197df33df2f66221129228

Comments