MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1
SHA3-384 hash: c3a3473cb0fa3d266caef40b33333ff0e8fb4286fb8e70a3495319ef47623638fbad1eb953046344da549aba6044b46b
SHA1 hash: 98ba8b8efae441724aed5a628d6604af16e578a6
MD5 hash: 73ffae92ff232fcf40db39fe1a8ec773
humanhash: video-carolina-vermont-iowa
File name:Bori ordine 25082021,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:391'680 bytes
First seen:2021-08-25 14:56:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (83 x Formbook, 33 x Loki, 31 x Loda)
ssdeep 6144:S4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pzq:JXe9PPlowWX0t6mOQwg1Qd15CcYk0Wea
Threatray 8'495 similar samples on MalwareBazaar
TLSH T17284231288CD4CE5FB1AD131A0D3C7692ABBA3134CA78FD09A64CE6C59D754539E38B2
dhash icon 1b2561696965293f (5 x Formbook, 1 x AgentTesla, 1 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bori ordine 25082021,pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-25 14:58:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af416959-83db-4981-84b0-dc7a1ba0bb6b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182339/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2b03008-d74b-4077-b0e0-7de5a03052d3
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839176
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 471603 Sample: Bori ordine 25082021,pdf.exe Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 29 www.cryptocurrencytroll.com 2->29 31 www.marxja.com 2->31 33 cryptocurrencytroll.com 2->33 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 11 Bori ordine 25082021,pdf.exe 15 2->11         started        signatures3 process4 dnsIp5 41 a.uguu.se 144.76.201.136, 443, 49706 HETZNER-ASDE Germany 11->41 59 Maps a DLL or memory area into another process 11->59 15 Bori ordine 25082021,pdf.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.jehonara.com 154.210.135.194, 49728, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->35 37 www.alvi-international.com 91.195.240.13, 49722, 80 SEDO-ASDE Germany 18->37 39 13 other IPs or domains 18->39 51 System process connects to network (likely due to code injection or exploit) 18->51 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 11:31:02 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wurf4tyzxd2d3gfffaeifeehveazz4sh7nvd62wnnlrq5tfz5cyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03735650255866b1c2592bcb4567cbcb2b9d23eea5430d2e7d7c6315abadb5ad
Formbook
0c5a22c770faa9a49feb2d8c881d51138f4892dad188e3391d345d0865e8953b
Formbook
0ccc6514caee09ed66f24a7883aa22194e523834485f752684d0ddd727e39487
Formbook
1a912965cb32d547e15282d11d1251c5fd89a5d2714a198ca26c2ad8597865bb
Formbook
355dd96121c1930f9c9c0f94b6474d5cbeb3bcfd6a7c51a043674cc79a26c891
Formbook
71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
Formbook
a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Formbook
cc0e5224224cd1137d4cdff798462d06a7e5e39e97858aac2ecc3c27b5c30b42
Formbook
dc26789a27709300dcdd742b50b8acb5c4d96d13c0aa5adb69c4f76d8e75c8ba
Formbook
e4bf214f6939dae12a6a479bd64f129509aa74ae46033c1aee210acddb118077
Formbook
+ 8'485 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:x9r4 loader rat upx
Link:
https://tria.ge/reports/210825-bfct18nf5a/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.alchemywaxmelts.com/x9r4/
Unpacked files
SH256 hash:
1d96baf8d6dee2ca11a113dd4d129f3fecf2dfea5dc32183dd32761ce4a7e276
MD5 hash:
2ea914a424a90a9165d722be38de2d67
SHA1 hash:
5b411f52c1eb11b0921b45164b60d2b597b968c8
Link:
https://www.unpac.me/results/bb578da2-b284-4028-a2c8-6b48314be1a8/
SH256 hash:
b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1
MD5 hash:
73ffae92ff232fcf40db39fe1a8ec773
SHA1 hash:
98ba8b8efae441724aed5a628d6604af16e578a6
Link:
https://www.unpac.me/results/bb578da2-b284-4028-a2c8-6b48314be1a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/182339/

Comments