MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c
SHA3-384 hash: f3ad7309dcef9b3feca8541266098ac9b6ac47b06f9af6ebc1887359c8760cdae8787f1da7de6827819ab27a5bf5e8b8
SHA1 hash: 1669357ca2336530ef8ade069ac54fe7ab18c8ea
MD5 hash: dc171d23dfb62217c47795303b8d3e32
humanhash: foxtrot-grey-emma-diet
File name:NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXE
Download: download sample
Signature Formbook
Create hunting rule
File size:801'792 bytes
First seen:2020-12-15 07:31:32 UTC
Last seen:2020-12-23 03:26:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d25e5d259e7f6716a4e00d81c9e32354 (4 x ModiLoader, 2 x ISRStealer, 1 x Formbook)
ssdeep 12288:ag83oBuqmVFmaoZ9cK6OxHiCjFzQZm9QIPmcadX2IGVpjY/:agWJ0NZlxr1WKg
Threatray 3'174 similar samples on MalwareBazaar
TLSH 1E057D22B25144F6C07216389D1B93A498E5BE3039349D876AF52D4CBEFF6A07D2DD83
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
15
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXE
Verdict:
Malicious activity
Analysis date:
2020-12-15 07:41:16 UTC
Tags:
installer opendir trojan formbook stealer
Link:
https://app.any.run/tasks/0b51e308-ccc8-4ae5-a07e-51b34bf0f5dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Sending an HTTP GET request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/563133
Signature
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330651 Sample: NEW URGENT ORDER FROM PUK I... Startdate: 15/12/2020 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected FormBook 2->44 46 4 other signatures 2->46 9 NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXE 14 2->9         started        process3 dnsIp4 24 airseaalliance.com 198.136.51.123, 49745, 80 DIMENOCUS United States 9->24 26 discord.com 162.159.128.233, 443, 49744 CLOUDFLARENETUS United States 9->26 48 Modifies the context of a thread in another process (thread injection) 9->48 50 Maps a DLL or memory area into another process 9->50 52 Sample uses process hollowing technique 9->52 54 Queues an APC in another process (thread injection) 9->54 13 explorer.exe 9->13 injected signatures5 process6 dnsIp7 28 www.mutemis.com 156.241.53.164, 49771, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 13->28 30 outlier88.com 34.102.136.180, 49774, 80 GOOGLEUS United States 13->30 32 7 other IPs or domains 13->32 56 System process connects to network (likely due to code injection or exploit) 13->56 17 netsh.exe 13->17         started        signatures8 process9 signatures10 34 Modifies the context of a thread in another process (thread injection) 17->34 36 Maps a DLL or memory area into another process 17->36 38 Tries to detect virtualization through RDTSC time measurements 17->38 20 cmd.exe 1 17->20         started        process11 process12 22 conhost.exe 20->22         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 07:32:12 UTC
File Type:
PE (Exe)
Extracted files:
101
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzidkd5xxxmebsomczic5ebjqpl7wx5padww6yhpqq42ntgu4m6a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
Formbook
1d6b4c596e189a78ffd872bffe908aaf27f74f6c36dddfd50b517f9155c0938b
Formbook
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
Formbook
4d39dfd975de3e9aca4e430390618b2e548db3f3d4bf2d0409f643be7da2a91e
Formbook
5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
Formbook
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
Formbook
82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2
Formbook
88b677a3b0b552141610da3b5b9a73f40e705a16cec821c73ea01a55fbf8202f
Formbook
8aaa1509b2f7df0160cb91cc9a8f35f38a029ea7485a25deaa9b448b1d635059
Formbook
bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449
Formbook
+ 3'164 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201215-wg1kl24rj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.revit-templates.com/k47/
Unpacked files
SH256 hash:
b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c
MD5 hash:
dc171d23dfb62217c47795303b8d3e32
SHA1 hash:
1669357ca2336530ef8ade069ac54fe7ab18c8ea
Link:
https://www.unpac.me/results/d735879b-8cc9-4237-8540-3a102cf6aa6e/
SH256 hash:
09be38f88faa510928d7ca99f1afd84b1ed6c37cc1743cdedd47f229a3552192
MD5 hash:
9585a626da01f4f1205e18431abb0fb0
SHA1 hash:
fff8c1d91264ce1fcffeeb9e833236dc3b9448f2
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/d735879b-8cc9-4237-8540-3a102cf6aa6e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso a7ded571b064a868271fefab774114a04bc7a236c25ce5a6edb4c0bffbe38e0c

Formbook

Executable exe b650350fb7bdd840c9cc16502e902983d7fb5faf00ed6f60ef8439a6ccd4e33c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a7ded571b064a868271fefab774114a04bc7a236c25ce5a6edb4c0bffbe38e0c

Comments