MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2ea418fe212c56fabd58c09d12b825f113f613f271c52ee8cca5d70750ea12d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2ea418fe212c56fabd58c09d12b825f113f613f271c52ee8cca5d70750ea12d
SHA3-384 hash: 9d8617596d02cdba50f2f68e919eb6e7364a8c0a45d8d52bd45bd356d4fd5763167e73e37ed38efaf7b19992a29ff264
SHA1 hash: 8aef19544a0bb29364442741cf22832ad74b3305
MD5 hash: 8468f9e3972956719e205c6403edbf04
humanhash: tennis-tennis-winter-nineteen
File name:PurchaseOrder.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:258'200 bytes
First seen:2021-07-28 13:05:22 UTC
Last seen:2021-07-28 13:44:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 941705bb9de69d9f126b6b02b46cea7a (3 x Loki, 3 x Formbook)
ssdeep 6144:aMxgtwNxPqaHmxDgyKQrSZD+LFPEbBs1iAmcM9cUB:hxgt6SVKQre86Bs0bcUB
Threatray 6'994 similar samples on MalwareBazaar
TLSH T1A144025643DC6D02E07A6AB1207867A3963D75B66B3FB16B63901E1E0CB4AF0DC31B47
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PurchaseOrder.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 13:08:47 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/2f949356-e719-4aea-8c37-8bff725f1144

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174647/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.14751.12788.18623.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2904993-e506-4248-a0df-e37c70a10f0d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823070
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 455482 Sample: PurchaseOrder.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 35 www.chatbotnepal.com 2->35 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 PurchaseOrder.exe 2->11         started        signatures3 process4 signatures5 55 Maps a DLL or memory area into another process 11->55 57 Tries to detect virtualization through RDTSC time measurements 11->57 14 PurchaseOrder.exe 11->14         started        process6 signatures7 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 explorer.exe 14->17 injected process8 dnsIp9 29 www.mymogulads.online 74.208.236.40, 49727, 80 ONEANDONE-ASBrauerstrasse48DE United States 17->29 31 www.e-studying.com 64.190.62.111, 49733, 80 NBS11696US United States 17->31 33 6 other IPs or domains 17->33 39 System process connects to network (likely due to code injection or exploit) 17->39 21 control.exe 12 17->21         started        signatures10 process11 dnsIp12 37 www.answeradviser.com 21->37 49 Modifies the context of a thread in another process (thread injection) 21->49 51 Maps a DLL or memory area into another process 21->51 53 Tries to detect virtualization through RDTSC time measurements 21->53 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Gathering data
Threat name:
Win32.Spyware.OutBreak
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 04:01:29 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 28 (64.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ulvedd7cclcw7k6vrqe5ck4cl4it6yj7e4off3umzjoxa5iouewq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26c752e870c67846120eefa974dabdb9ee5b0efd3ddcd45f507aeaa638db2572
Formbook
2d3642f2c997cdd1a84d283738cd6d09f321f681dbc26fab6cca262d59401e20
Formbook
39ea098dc37c12477cdfde92cb07cf2840d907c262c582a2320ade782e01bbcf
Formbook
54a4c812a46eacf246ace69c9b1cc1790c63694c091ad5661cffa309d2162da0
Formbook
72c6697907363b49b380a98519bd1301562ed640b1d4d98f5a4bc08cddeb5ab7
Formbook
94e436107d0fb47e65907647813f1914e8c847f3d6045098e65d1bc56abf280f
Formbook
9998ff1d42d8af0fcc166bea36887eebf182e91d1816853d9f80e6cbbbaf9145
Formbook
bf6ae876108b5fec915d91bd36d3ccd22c8593be29412521c32a4b3f11a757f0
Formbook
e713f71dced099e1ed7db81eb22b4e79fb412f08ca0915e8cdebb5b6051aee67
Formbook
f1b2b93992ab956883815e6fea926d282fc3a423675fa1faf5ffb6cbb2ddbedb
Formbook
+ 6'984 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210728-gsz9qtkj12/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.lehuvip867.com/mpus/
Unpacked files
SH256 hash:
5f50a455b46fd0a64a1205f3dbf3026e07b5218f9f4d1842b5bc635f8bd16a0b
MD5 hash:
f431a991fca58c89372317c89e6fe8e6
SHA1 hash:
45460b7e85c543553a1928fd4b97184e6f41d184
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/47c92a2a-a67f-4cd8-9beb-df525496de14/
Parent samples :
a2ea418fe212c56fabd58c09d12b825f113f613f271c52ee8cca5d70750ea12d
3c4255b2391d019d1f020b5a8c65dfe031b06344fe9ebe591b21397ad993af66
44dedf5b594d812b996aae7b28fd3489703842b05ff917403f879d728fe15ba0
9aa14501574506627270d8fd1ffba77663640ade1feba0deabbc9ece1f06c0d6
ec9615376e058679cc49b28df048c0f31bb8fdcd67e59b2840058c435af45d65
02f219e86791727efbc7d24273381485d1843ec9d85fa2d6fbd902d8e7c2fa12
SH256 hash:
a2ea418fe212c56fabd58c09d12b825f113f613f271c52ee8cca5d70750ea12d
MD5 hash:
8468f9e3972956719e205c6403edbf04
SHA1 hash:
8aef19544a0bb29364442741cf22832ad74b3305
Link:
https://www.unpac.me/results/47c92a2a-a67f-4cd8-9beb-df525496de14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/a2ea418fe212c56fabd58c09d12b825f113f613f271c52ee8cca5d70750ea12d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/174647/

Comments