MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
SHA3-384 hash: 513169c1ed887adb1b016dbb09a1e41c6b0ca4898e99fe0cfd9e3bfaef65ab85ed54a5bca7b507a81f9c29c37c63d568
SHA1 hash: 2e292b7e6f41b0fd7dd31424989e5640f6e41e38
MD5 hash: 573ad7a8627f24f2e6fc4aa3c53f6328
humanhash: georgia-double-jersey-double
File name:Packing list • Invoice • Country of origin.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:386'560 bytes
First seen:2021-01-15 07:09:06 UTC
Last seen:2021-01-15 09:12:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1442444af7919535e8cc28f805f45818 (3 x Formbook, 2 x NanoCore, 1 x RemcosRAT)
ssdeep 6144:eVlRSiTgMIAITpBVeiqRPe6th5MZpd+x6tv9EZR:ezMMSpBgiqpKZpdRriR
Threatray 3'374 similar samples on MalwareBazaar
TLSH B1849F927200C8CDEDB986B6581F81203007ACAF5171C7AD29DFB97BA167312936779F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: relay3.redynet.com.ar
Sending IP: 200.107.202.26
From: Alan Li <alanli@haitai.com>
Subject: Re: Shipping Documents – Packing List & Commercial Invoice
Attachment: Packing list • Invoice • Country of origin.zip (contains "Packing list • Invoice • Country of origin.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Packing list • Invoice • Country of origin.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 07:16:11 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e215356f-5e31-493e-94a9-91f80a60db2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112163/
Detection(s):
SecuriteInfo.com.Generic.mg.573ad7a8627f24f2.8437.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a file in the %temp% subdirectories
Creating a file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/582278
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (RTLO)
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 340176 Sample: Packing list #U2022 Invoice... Startdate: 15/01/2021 Architecture: WINDOWS Score: 100 35 www.clqck.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 11 other signatures 2->49 11 Packing list #U2022 Invoice #U2022 Country of origin.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 11->33 dropped 59 Maps a DLL or memory area into another process 11->59 15 Packing list #U2022 Invoice #U2022 Country of origin.exe 11->15         started        18 conhost.exe 11->18         started        20 cmd.exe 1 11->20         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Queues an APC in another process (thread injection) 15->65 22 explorer.exe 15->22 injected process9 dnsIp10 37 thedallygrind.com 199.34.228.164, 49735, 49758, 80 WEEBLYUS United States 22->37 39 alrihabexpress.com 150.129.234.19, 49755, 80 WEBWERKSAS1US India 22->39 41 19 other IPs or domains 22->41 51 System process connects to network (likely due to code injection or exploit) 22->51 26 netsh.exe 22->26         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 26->53 55 Maps a DLL or memory area into another process 26->55 57 Tries to detect virtualization through RDTSC time measurements 26->57 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-15 07:10:05 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsuyiplmfbu5uf6j7m3nhkxhxbu7hx2eikajipqh6oke6zai6cda._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ce70c12c5b8806fc6b3e507c5ed406599045b20688b456db124b1b685da60d0
Formbook
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
6526a7eed94f5bff8a1c8b3d9d0aca202b72102edb7beec08644ff9ba06e00e2
Formbook
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
Formbook
ac23d4ba0e11c07488224b01abc734d353da88537ed55c945eec7a91a20216a4
Formbook
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Formbook
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'364 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210115-we2f21kvba/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.4mzn-l1mit.com/x2ee/
Unpacked files
SH256 hash:
b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
MD5 hash:
573ad7a8627f24f2e6fc4aa3c53f6328
SHA1 hash:
2e292b7e6f41b0fd7dd31424989e5640f6e41e38
Link:
https://www.unpac.me/results/6a13e612-a563-4ff6-b4f9-25702a11cd91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip d8f46381380159983f5e68104d6d158ae834be5786f3abbb6cff74f79a377714

Formbook

Executable exe b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086

(this sample)

  
Dropped by
MD5 a1af6e1e7e70e2d2571c21d7c21b9c53
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d8f46381380159983f5e68104d6d158ae834be5786f3abbb6cff74f79a377714
Cape
Cape
https://www.capesandbox.com/analysis/112163/

Comments