MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319
SHA3-384 hash: 0a1b1cda006ccea87ff919ab73fafe499591d71fc00b0afa85991daadfdbcee3d51c4fc41cd824fc15d5488e6c810154
SHA1 hash: 9dcbdbdb9f4e569dab054427a17ec145b016135b
MD5 hash: 00aca09af0da80222fa4d918916eb380
humanhash: nitrogen-fish-oscar-aspen
File name:QN-03507-20.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:596'480 bytes
First seen:2021-01-14 20:12:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Ww3VpNEpt8yOWGd4E/RAAkcganlnCCNmz1q/3+:RVpGpt7iHOVcgaECgz1Q3+
Threatray 3'389 similar samples on MalwareBazaar
TLSH E2C4011137A85FA2D67F97FA6136500417F6AA12A933E3485EC060EF0E99F50C792F63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail.panjunan.com
Sending IP: 103.31.224.54
From: Buoyancy Marine Pte Ltd <klaim.pusat@panjunan.com>
Subject: Buoyancy Marine Ref:QN-03507-21 INVITATION TO QUOTE
Attachment: QN-03507-20.arj (contains "QN-03507-20.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QN-03507-20.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 20:45:54 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e793afa4-e0e4-4e86-80b6-d11b8fd17f87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112092/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
DNS request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581821
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339948 Sample: QN-03507-20.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 10 QN-03507-20.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\QN-03507-20.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 QN-03507-20.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 winluckylotto.com 204.11.58.71, 49774, 80 PUBLIC-DOMAIN-REGISTRYUS United States 17->30 32 ghs.googlehosted.com 108.177.119.121, 49776, 80 GOOGLEUS United States 17->32 34 21 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 03:59:35 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wldseslrslsykqb5qagcwnf4ctwyy7vjwdzlj2ghw6krwzc42mmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1158ff679fa556eb7dbe494126b16c5ec298f8f1a81463784d1c9ec8dc9b83f1
Formbook
196b4470cd98c4f6d5c634170a1c6a98cf59b61c9b12a032ec9fb776b74a0527
Formbook
444e72d12e85dffc1b247b29e7789022b251237f56ea83bf72e3c09fcb628874
Formbook
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
Formbook
6a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
Formbook
ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
Formbook
b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
Formbook
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Formbook
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
+ 3'379 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210114-p6r712y396/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.basketballcardgame.com/mmfg/
Unpacked files
SH256 hash:
ce5fb4e2e5fc833a0329548ef88bbb8d18225202998b1fdda21690aeb34e3af5
MD5 hash:
331ce528f619f985b635ab6cb3ec16a9
SHA1 hash:
923cdbe43dcf2d3138d2364304ba274b2683262d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/27db8c01-fdbf-4e6b-8c22-a3f51650714f/
Parent samples :
b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319
5cd75052c82b5ff0cc1261075c4fdb060c21062c72525508cbb75e44683f6d0b
SH256 hash:
ac043067a18bb3724b352c01df648b173d97c79c8e8fb6ed23d0cf7a806e9906
MD5 hash:
9aa4e63abf36a7b274d744cb7be5ce2b
SHA1 hash:
5fb7ef7eb38a317db244f697ee58c7cb4a317f8f
Link:
https://www.unpac.me/results/27db8c01-fdbf-4e6b-8c22-a3f51650714f/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/27db8c01-fdbf-4e6b-8c22-a3f51650714f/
SH256 hash:
b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319
MD5 hash:
00aca09af0da80222fa4d918916eb380
SHA1 hash:
9dcbdbdb9f4e569dab054427a17ec145b016135b
Link:
https://www.unpac.me/results/27db8c01-fdbf-4e6b-8c22-a3f51650714f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj a03f5ad426e80d43bcf86e71ccfe7406fe7c565abe00b2305464a07f6d1b2834

Formbook

Executable exe b2c722497192e585403d800c2b34bc14ed8c7ea9b0f2b4e8c7b7951b645cd319

(this sample)

  
Dropped by
MD5 c432fd36ef5e5b314edc73c58863e151
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112092/
  
Dropped by
SHA256 a03f5ad426e80d43bcf86e71ccfe7406fe7c565abe00b2305464a07f6d1b2834

Comments