MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad8dd5f1c3a9021711415a43bfd680447dc89da919fc35faf76ded4e9eb79f31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad8dd5f1c3a9021711415a43bfd680447dc89da919fc35faf76ded4e9eb79f31
SHA3-384 hash: d49e6654b6d8b7e1b97bec06a40c27cbeadee85adc745c3370eef0ec8341fc8c9568fb3f00530ad20b1aafe7ffb85184
SHA1 hash: f648d91e22ce2e1d171cebd1a223debe59b0edb2
MD5 hash: 1137a2a845b5489783ce5aae21303ab6
humanhash: lithium-two-papa-sad
File name:pvUopSIi7C5Eklw.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:753'664 bytes
First seen:2021-04-07 11:22:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:GY+StSI483V27N246GUrO/9xgOJvLhSi+B2Plc+ei2RJMmaBMLUrly3bUVsu7i:GKtSIb3YcXmHbJzqBUl7BMLUraai
Threatray 4'547 similar samples on MalwareBazaar
TLSH D0F4691C2A9844F4D5E936F4082180411BADAD1F7792B709ABB0FD693A33633CE5DA5F
Reporter abuse_ch
Tags:exe FormBook geo NLD


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.almalare.com
Sending IP: 185.121.120.172
From: postmaster@almalare.com
Subject: PO 21-40 voor artikelen 288-295
Attachment: Bestelling.rar (contains "pvUopSIi7C5Eklw.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pvUopSIi7C5Eklw.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:54:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e855567-ce3f-4800-8268-ed5d6ec64392

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132843/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.634.29001.4598.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668573
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383217 Sample: pvUopSIi7C5Eklw.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 6 other signatures 2->42 10 pvUopSIi7C5Eklw.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\pvUopSIi7C5Eklw.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 pvUopSIi7C5Eklw.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.1xbetmer9.online 5.45.86.121, 49762, 80 SCALAXY-ASNL Russian Federation 17->30 32 ero-dogamax.com 163.44.239.72, 49759, 80 INTERQGMOInternetIncJP Japan 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad8dd5f1c3a9021711415a43bfd680447dc89da919fc35faf76ded4e9eb79f31/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 11:23:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwg5l4odvebboekbljb37vuair64rhnjdh6dl6xxnxwu5hvxt4yq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
220f3d2b4e15b67592dc527153c3b7107d1465ef90339b8c00c0db2f9cc245fc
Formbook
39673d6fd51aeaedf60429480dc615144baf0dbd65704dc40825942e60e82be0
Formbook
5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e
Formbook
85c3061712d39d8f6605267663495724d314cd131db20cc9fcbb3027ddf7b628
Formbook
92737036f323b1c72064c1e8038a942266435048a3ce4847f7e5b29558376c1c
Formbook
988d84650b91424e291cb84ef84433cbd4214622365b226d925d71ffda0bccb8
Formbook
a01cc1fb91c9f7d7490e45a84b861e7188a0f3d97769710af895ee843a19699c
Formbook
cdcb4d8c4292e945bd519f6d50039a4f5fc933b909eacd6ac1286fbf1ff2142a
Formbook
d69345d398849a377103e09925aca369a6ee8fdaca08745d3bbb02aa79eb2861
Formbook
f61ea12383c210bd9db6f0148321bfbc36b24c7b55197cbafef0ae23cadd9b9c
Formbook
+ 4'537 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210407-mvd8yyv9ka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.probysweden.com/cpo/
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/7dc88b64-3c0b-45d5-9c29-8eb739d07be9/
SH256 hash:
ad8dd5f1c3a9021711415a43bfd680447dc89da919fc35faf76ded4e9eb79f31
MD5 hash:
1137a2a845b5489783ce5aae21303ab6
SHA1 hash:
f648d91e22ce2e1d171cebd1a223debe59b0edb2
Link:
https://www.unpac.me/results/7dc88b64-3c0b-45d5-9c29-8eb739d07be9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ad8dd5f1c3a9021711415a43bfd680447dc89da919fc35faf76ded4e9eb79f31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c8b96f9f31e8ae24043b7b35ca8cf6d66574b57c56746fe007ee6f4609d19b1b

Formbook

Executable exe ad8dd5f1c3a9021711415a43bfd680447dc89da919fc35faf76ded4e9eb79f31

(this sample)

  
Dropped by
MD5 0a47028823a9d6ac37e411bec17dad56
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c8b96f9f31e8ae24043b7b35ca8cf6d66574b57c56746fe007ee6f4609d19b1b
Cape
Cape
https://www.capesandbox.com/analysis/132843/

Comments