MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a274ae6a1adcdc3967735c5f04aed6cf22d1541dc275def4eb2d7cb3c0c57d25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a274ae6a1adcdc3967735c5f04aed6cf22d1541dc275def4eb2d7cb3c0c57d25
SHA3-384 hash: 3d1b42f2d311df5842d60824be2f2df4b12f510005864ed7c4163b378e540111d9566e3ee48bb6a96bbeb9708b014d38
SHA1 hash: a32c1fa6328a1dd29e6e568e724c97c28d8d4e9b
MD5 hash: cd37fa003b427bb26cc015d0ea013704
humanhash: delaware-one-coffee-glucose
File name:INV+PACKING LIST.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:848'896 bytes
First seen:2021-04-26 05:26:48 UTC
Last seen:2021-04-26 06:07:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:ZGhl39QcAwb94H88V1jH2nffyGvqQ/9ZWl15:ZG2cANHH2nffyG/90Z
Threatray 4'619 similar samples on MalwareBazaar
TLSH E80522073B98F77EE93EE7B94470A11057F3AE96AB22DB4DBEC924D64452F840B40721
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV+PACKING LIST.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-26 05:35:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8bc387d6-f6f3-4ad2-b382-8cfc00baa647

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/144154/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.31060.5448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697541
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397691 Sample: INV+PACKING LIST.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 8 other signatures 2->44 10 INV+PACKING LIST.exe 3 2->10         started        process3 file4 30 C:\Users\user\...\INV+PACKING LIST.exe.log, ASCII 10->30 dropped 54 Injects a PE file into a foreign processes 10->54 14 INV+PACKING LIST.exe 10->14         started        17 INV+PACKING LIST.exe 10->17         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 19 explorer.exe 14->19 injected process8 dnsIp9 32 ponderingelephant.com 66.235.200.147, 49755, 80 CLOUDFLARENETUS United States 19->32 34 www.unifipayments.com 19->34 36 2 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 WWAHost.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a274ae6a1adcdc3967735c5f04aed6cf22d1541dc275def4eb2d7cb3c0c57d25/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 05:27:10 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uj2k42q23todsz3tlrpqjlwwz4rncva5yj2555hlfv6lhqgfpusq._file
Verdict:
malicious
Similar samples:
132bffde916ecb2374bc576a1e7d041d09b8411ed3c885b1d5e9b01e1ca073aa
Formbook
1416666c5e810ca861f2957356678266e742812f3dc29a8361e588af59b8478d
Formbook
4d7785dcd99beca572613788bc8b0713ddda6da0c8df321b1402bc38e6880f88
Formbook
5d1f28337792985c3609a213fa8895a307f35a529a22eafbad3281fa0f4e31a0
Formbook
5fef6e5e702f6ac33542c50d34d3054d1b957c3afd5dffc8fbeaa81d82fdf562
Formbook
8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
Formbook
a01cc1fb91c9f7d7490e45a84b861e7188a0f3d97769710af895ee843a19699c
Formbook
c1bcc9edb69c75aa2e1052ef728392ca9a922a23888a4be835e0bc4dbd150752
Formbook
c1d7028900706dc1fa7c0e165b9209415b96628bb49f17779f86256851a0d3c1
Formbook
d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f
Formbook
+ 4'609 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210426-8g7rvab21s/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.consultinggroupwv.com/ple/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/31e7b6d2-743a-49ba-8082-548bd4e98553/
SH256 hash:
a274ae6a1adcdc3967735c5f04aed6cf22d1541dc275def4eb2d7cb3c0c57d25
MD5 hash:
cd37fa003b427bb26cc015d0ea013704
SHA1 hash:
a32c1fa6328a1dd29e6e568e724c97c28d8d4e9b
Link:
https://www.unpac.me/results/31e7b6d2-743a-49ba-8082-548bd4e98553/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a274ae6a1adcdc3967735c5f04aed6cf22d1541dc275def4eb2d7cb3c0c57d25

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144154/

Comments