MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d
SHA3-384 hash: dec0036c1ce4f88826f29269d48a76baadfd3e23b29e9dba70cd5b084483da9cd99c22d6273ad2c2a770467baa8c7a2f
SHA1 hash: 5beddedd0e35f6ca100b8e1b0bba09706435f3bf
MD5 hash: 1bd3aaf000ed6d58b733dfead9e3433b
humanhash: tango-potato-bluebird-speaker
File name:PROFORMA INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:765'952 bytes
First seen:2021-03-02 08:11:35 UTC
Last seen:2021-03-02 09:27:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 6144:d53m6slKhDa64JLyGt1yozKI8s8l0I1/1l1ffXCIhvUv01lGCt01XRZIQWGg0YXs:mSN4byozzkhphvUvUZa1zIGoKbRysN
Threatray 3'984 similar samples on MalwareBazaar
TLSH 61F4D0F432B98697E5AE8FB4DD8C217022F0687CF6C0D24DBDE96A1C56A2350465C3BD
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: dimmandiri.com
Sending IP: 45.137.22.36
From: "Pan Sovannareth" <mail@dimmandiri.com>
Subject: The PI of purchase order from UNIS company
Attachment: PROFORMA INVOICE.Z (contains "PROFORMA INVOICE.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PROFORMA INVOICE.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-02 08:21:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/051ce8fd-9870-4b8f-b497-f34ae56d9a96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120862/
Detection(s):
SecuriteInfo.com.Variant.Bulz.378746.16186.93.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/623449
Signature
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 360714 Sample: PROFORMA INVOICE.exe Startdate: 02/03/2021 Architecture: WINDOWS Score: 100 36 www.techaidinc.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 10 other signatures 2->46 11 PROFORMA INVOICE.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...\PROFORMA INVOICE.exe.log, ASCII 11->28 dropped 14 PROFORMA INVOICE.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.meblogwire.com 185.182.56.12, 49752, 80 ASTRALUSNL Netherlands 17->30 32 www.powersdevelopments.com 17->32 34 2 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-02 02:52:56 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=trkepb64rl5xygmez37nzwvfxqulptnswv57hrh3lmkyyaxdirgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09715a97873a089c9dc80219175d50508628f4f794639c2e725bad85d68804c2
Formbook
0ef4f3934342133702e07d176450b7304d5f85bc78652821356f9f046d5367b4
Formbook
125b3f2e9eef8a9a9ef6c677fd9a30af2f153284c727aa914329e77bfe2ac49d
Formbook
27084ca2efd9f211569b913d31d8caee75cb773e73367c3f6cd40a78889a1934
Formbook
65dbaf77c991e5737ecf9041dea34a7e9eca1e38925ff69340435a3cff1314a3
Formbook
965df8ebef029defa94503159ecc0bb6d34368723093287b6b812983ed3fdd77
Formbook
9f38ade8e53d28eef33a81e0559b92b44fa878ae9b61fadd3bb245d33486e2c0
Formbook
a1db821171c7bd2950fad26899fbbc88c787f0cc7d869ee9b29f86bf09ebb92b
Formbook
b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
Formbook
d746f1d3cdebbe05d98d18fc189e42ec8b0c2865abe01e28011da58b3d8c71b4
Formbook
+ 3'974 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210302-tvkn4jaq9e/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.onlineordersecrets.com/y04g/
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/ab07182a-755f-4b00-be96-2ff96ef4431b/
SH256 hash:
9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d
MD5 hash:
1bd3aaf000ed6d58b733dfead9e3433b
SHA1 hash:
5beddedd0e35f6ca100b8e1b0bba09706435f3bf
Link:
https://www.unpac.me/results/ab07182a-755f-4b00-be96-2ff96ef4431b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z ee8fa79b46f58568694a1555e121ac033419c0a6d3ca02989a8433f0008613fc

Formbook

Executable exe 9c544787dc8afb7c1984cefedcdaa5bc28b7cdb2b57bf3c4fb5b158c02e3444d

(this sample)

  
Dropped by
MD5 c217fd52759a513e2680af0b0d6a9c82
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/120862/
  
Dropped by
SHA256 ee8fa79b46f58568694a1555e121ac033419c0a6d3ca02989a8433f0008613fc

Comments