MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda
SHA3-384 hash:	66572db8cc539b39acda0bbc90bde7277425200d85ccebf6881a72d5a931e994388835b3aa537bfc3504d7918f7331c1
SHA1 hash:	3b1bc94e7565aaf7cbe293dba32fca871ecf704d
MD5 hash:	b86abf15be6a1c7027e7a89ea3d821ca
humanhash:	fix-aspen-sink-bulldog
File name:	Mv Maersk Kleven V949E_pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	980'992 bytes
First seen:	2021-01-15 07:15:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:KcgTsI99QeuQABwaElE9Yt9gusNqdw/bZwn:KcgTsmJuQAallzt9g5cS+
Threatray	3'415 similar samples on MalwareBazaar
TLSH	5925AE7C27BBBE4CD0791AB60EE1582707623D1625F8C61E0CD97ECA0576B401DA9EB3
Reporter	abuse_ch
Tags:	exe FormBook Maersk

abuse_ch

Malspam distributing Formbook:

HELO: vm4983.aproweb.it
Sending IP: 217.64.205.19
From: A.P. Moller - Maersk <info@hoteldaltavilla.it>
Subject: RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //
Attachment: Mv Maersk Kleven V949E_pdf.xz (contains "Mv Maersk Kleven V949E_pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Mv Maersk Kleven V949E_pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-01-15 07:22:02 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/abb46517-a2a8-4b69-a678-fc5e4ccc9d66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/112185/

Detection(s):

SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/582237

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda/

Threat name:

ByteCode-MSIL.PUA.Wacapew

Status:

Malicious

First seen:

2021-01-15 04:31:58 UTC

AV detection:

8 of 46 (17.39%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ub4nszvdvrnhvrrzwan2juzdbr2vjv6xl2ph6wo4gw3chlwi3pna._file

Verdict:

malicious

Label(s):

formbook

Formbook

2570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2

Formbook

56db76250b06a9b52b44a9cc88161cd8fb070c4b72aae4f2186362875edac275

Formbook

5b59e08e82994cd78df8856c5d7cfd4b30be947a9f7329af1a13d47652b189fc

Formbook

75f2a2a20e73b7e0c53d499b883a403c2b8cfbf17c5923d58e0167daa4c019c1

Formbook

8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a

Formbook

a026f6e6988f126a35bb044b7215fa5fb20a41a3b3bac722bfb7f53e670cc0f4

Formbook

b4028a328ab3e533631461c92c11f0594dbc1311ccb259bfe7e37c325c31a1d5

Formbook

c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0

Formbook

c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9

Formbook

+ 3'405 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210115-p2472421sj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.embracingmyjourney.net/p7t/

Unpacked files

SH256 hash:

2681e8e4ea11b8ad2e5647611ffb26571c8d70fe74a72906bf74689045054b76

MD5 hash:

a8b3eedb0a0ada743f56e178f6647a88

SHA1 hash:

02f5fb5e128dca0d4483135659888ce392039db3

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/edf3ced1-7777-49f1-b662-98e1525e7985/

Parent samples :

c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9
56db76250b06a9b52b44a9cc88161cd8fb070c4b72aae4f2186362875edac275
a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda
b37ed83e211a60e98f12b924df6a9eecebb4b6f5c60cc58aa1468bddc611480f
5adeb6184ee1dffad88ac180f1e7dcbd6f451fc8dcd5e868906fca11d98476ef
3013607bfee8bcca1767c2a33cea94602e3c97baba31f96fc8a08014cf2576b4
3ce15be8f0a31d5fa5a176c3abb3729fd834a6af3e8a69b35cc6f2dd54c66fdb
280e68610d554a53b9986a3c71780b7de25914486c37d32b4479e50168645073

SH256 hash:

170b6cd53c0a3ea9334bac6de05fea9e4e81a17fb9f1dc2660accb541e5369f0

MD5 hash:

e03f5645586c4ec63b63a4ef65f444e4

SHA1 hash:

e0664cd23df565752517333d48cf4bc56782df25

Link:

https://www.unpac.me/results/edf3ced1-7777-49f1-b662-98e1525e7985/

SH256 hash:

366da8a6cbd04282ab6ef9c2ffc25d4aee0e52461da78ecc17ecba2db39ed834

MD5 hash:

460571c0e5a72a62cd42adc66616f197

SHA1 hash:

88f9305bd2a88cac12574fa86922a1b9c63dd32c

Link:

https://www.unpac.me/results/edf3ced1-7777-49f1-b662-98e1525e7985/

SH256 hash:

a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda

MD5 hash:

b86abf15be6a1c7027e7a89ea3d821ca

SHA1 hash:

3b1bc94e7565aaf7cbe293dba32fca871ecf704d

Link:

https://www.unpac.me/results/edf3ced1-7777-49f1-b662-98e1525e7985/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819