MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795
SHA3-384 hash: e7cc5d706ff35639e1922dd19e2d22aa85876b9b9468228152daaabc804ae18e520c48e36ebf3240190f6bf671c96f00
SHA1 hash: 0cdf475a4766967164ffd6b61cbf95ab49b9d6b2
MD5 hash: eddf5707efb09aae5b194cb84db89374
humanhash: mockingbird-mobile-alaska-comet
File name:RFV9099311042.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:318'464 bytes
First seen:2021-01-14 20:03:27 UTC
Last seen:2021-01-18 11:53:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2087285a50d01bf3729a786c15ab23ed (6 x Formbook, 3 x RemcosRAT, 3 x Loki)
ssdeep 6144:/PDriWZT32WKa+AOApj0d8PAFqEFMVWFeThIKTNcDROPbbxwan7:/PaWZb2WKa+uPAFbMPtDNcDeb+an7
Threatray 3'348 similar samples on MalwareBazaar
TLSH 9C64F11472D2C072E0B5213024E8FBB36939E43113B454F7BBEC162B5FA47D06A797AA
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server.allaboutoffice.gr
Sending IP: 94.130.138.183
From: info <info@ilemedical.it>
Reply-To: info <intemo.reymsa@gmail.com>
Subject: Sollecito Pagamento
Attachment: SOLICITUD DE COTIZACION.zip (contains "RFV9099311042.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFV9099311042.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 20:04:28 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/ce6a595f-9c84-4c81-965e-5661a1214cf4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112071/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.21454.9857.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581801
Signature
Antivirus detection for URL or domain
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339942 Sample: RFV9099311042.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 30 www.thibau4.xyz 2->30 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 3 other signatures 2->44 11 RFV9099311042.exe 1 2->11         started        signatures3 process4 signatures5 54 Maps a DLL or memory area into another process 11->54 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 RFV9099311042.exe 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 posdonanim.com 77.92.111.170, 49732, 80 TEKNOTEL-ASTeknotelTelekomunikasyonASTR Turkey 19->32 34 www.unitvn.com 112.213.89.130, 49735, 80 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 19->34 36 7 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 wscript.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2mdqskusmvavhs7sipsk4bjx5c7oinq2j44qqzmj227dp2qo6kq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
Formbook
1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd
Formbook
2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
Formbook
59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679
Formbook
5c03cc9cabc0adbcdb1597650f9fc5dd5c3b338a0e8558887a02fbb3be8c34c4
Formbook
6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
b4028a328ab3e533631461c92c11f0594dbc1311ccb259bfe7e37c325c31a1d5
Formbook
b81777dd63f61edd70b7d1e24aaabb352c5c44cbfede6b813249144eea82c7ee
Formbook
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
Formbook
+ 3'338 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210114-k69bf3xcs2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.unitvn.com/krc/
Unpacked files
SH256 hash:
9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795
MD5 hash:
eddf5707efb09aae5b194cb84db89374
SHA1 hash:
0cdf475a4766967164ffd6b61cbf95ab49b9d6b2
Link:
https://www.unpac.me/results/341d8312-d525-426a-b0dc-f3725b4a94c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip ecdf4af38a9f1628ab6c77dce0307ab5600c687bc352d8d45d299218b0604d99

Formbook

Executable exe 9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795

(this sample)

  
Dropped by
MD5 397abedd74eeb8aae674a00371ada752
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ecdf4af38a9f1628ab6c77dce0307ab5600c687bc352d8d45d299218b0604d99
Cape
Cape
https://www.capesandbox.com/analysis/112071/

Comments