MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389
SHA3-384 hash: e77ca50af82a4e000f12614f1ae1fe6761d21e4bb75e080d00af3918f63bb706860bc0f94b9d875ba3896cea7e743c8e
SHA1 hash: e17782339164117645128597cfd22152c80cf229
MD5 hash: b36e69f884b74fe568bdb7fdb06362cb
humanhash: mockingbird-tango-robert-carpet
File name:ORDER7946ERA-LBT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:680'448 bytes
First seen:2021-04-08 07:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aaZQNNAhe3LEPkvKHAfKAEBYjgVPbvpGFQUN0ijeLwfX:aaZQj93WkvKzIybBGCUqijeS
Threatray 4'657 similar samples on MalwareBazaar
TLSH 01E4CF367394DF54E17EB3384091120153F4B61BD312D64C3CAA71EE2E66BC1DBA6A8B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hbtovs.com
Sending IP: 111.90.139.164
From: Gloria Chan <Gloriachan@hbtovs.com>
Subject: Attached selected items and confirmed copy of Order and Sales Contract Draft for your reference.
Attachment: ORDER7946ERA-LBT.rar (contains "ORDER7946ERA-LBT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER7946ERA-LBT.exe
Verdict:
Malicious activity
Analysis date:
2021-04-08 07:11:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2ff4284-d61e-44c7-8989-8b37b8cd4bae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133056/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.634-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669645
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383753 Sample: ORDER7946ERA-LBT.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 41 www.japmenthe.com 2->41 43 japmenthe.com 2->43 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 11 other signatures 2->53 11 ORDER7946ERA-LBT.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\QRUZjOQK.exe, PE32 11->33 dropped 35 C:\Users\...\QRUZjOQK.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmp707C.tmp, XML 11->37 dropped 39 C:\Users\user\...\ORDER7946ERA-LBT.exe.log, ASCII 11->39 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 11->65 67 Tries to detect virtualization through RDTSC time measurements 11->67 69 Injects a PE file into a foreign processes 11->69 15 ORDER7946ERA-LBT.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 45 www.ovvldbxmd.icu 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses ipconfig to lookup or modify the Windows network settings 20->57 26 ipconfig.exe 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 06:45:28 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5ly467qg5odmyrdibwncucmph7lf4sar6ep7pgmelgrxqzdooeq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3d5aa5168803be81252e6f8c0d7100bbb9dd53558077557b5fb3fad255b402f4
Formbook
6c2f5bf673b3bbc31cf425259cd5a0262094e85a8bed03714c7b39712efc4beb
Formbook
85b4775a04277a6a2273bf9c72b75f9154dd3d89f6f504e08d6ef32588f8ca2a
Formbook
8fcade822dc1b07f474d920e50e3030f491983aad270ad6b9bb68755eb17998c
Formbook
9e54241184e45b1950037313896e0d2e864cc9d373f5a2f14b0af405094fd1a4
Formbook
c1b9977e66c9439e03addc95d4a6fc8b5325cacfdb040d74a973f678d45342ef
Formbook
c5ad7c8c7e25d194c60bf2c6eb8fa74f7ebe319a5e1727676a2470947dc8f331
Formbook
d68888aa1e155ac65bd1ddabcf05f61bfff65f79a11cc0ee099200c3da8c5d35
Formbook
e096e858f6e33e79359f9be68c43cdb8536c99a6282adb420496e11b12a4aa4c
Formbook
ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea
Formbook
+ 4'647 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210408-k9ewz41q3a/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.valoremamma.com/cw3g/
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/0587ddc1-854f-4672-a402-2361c9f8f3b7/
SH256 hash:
9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389
MD5 hash:
b36e69f884b74fe568bdb7fdb06362cb
SHA1 hash:
e17782339164117645128597cfd22152c80cf229
Link:
https://www.unpac.me/results/0587ddc1-854f-4672-a402-2361c9f8f3b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 80e6305ec55a3249c1d90a7f6cbbe0411167a00c39bd655b8cfe70baa37fee64

Formbook

Executable exe 9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389

(this sample)

  
Dropped by
MD5 29674503187272d71bd1dcfa85e3438c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133056/
  
Dropped by
SHA256 80e6305ec55a3249c1d90a7f6cbbe0411167a00c39bd655b8cfe70baa37fee64

Comments