MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
SHA3-384 hash: 5685e490a1a6946db4d4919cf62f6e77ff05c836819ebcb605f57420fef4888fee95c96527690d8eea7cb95bdaa53fd6
SHA1 hash: 6522654f789b6da6045c244187c776401ae61b35
MD5 hash: 6ec0ad707cfd679db91e380648658a1c
humanhash: kentucky-lemon-nuts-juliet
File name:order no. 43453.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:909'824 bytes
First seen:2021-01-12 07:26:32 UTC
Last seen:2021-01-12 08:54:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:chAzcd08UTIVK1faeEqU/RK9G1BxnYRcz46F:chxdQTIVKFsqU/R48fzj
Threatray 3'330 similar samples on MalwareBazaar
TLSH 05156C508F929751D7AC13FE2411006127E5DF79F7E8EB68ED9570B26FB2A2802FD182
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: cbdjo.cam
Sending IP: 111.90.159.32
From: Valentina Barbin <Barbin@cbdjo.cam>
Subject: Re: R: R: new order no. 43453
Attachment: order no. 43453.rar (contains "order no. 43453.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order no. 43453.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 08:13:02 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/837eb1c6-2a8f-4e2f-8a0f-e4b1712bacc8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111438/
Detection(s):
SecuriteInfo.com.Artemis6EC0AD707CFD.14661.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578721
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338410 Sample: order no. 43453.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 9 other signatures 2->51 10 order no. 43453.exe 7 2->10         started        process3 file4 31 C:\Users\user\AppData\...\ZlxSqEyhCzs.exe, PE32 10->31 dropped 33 C:\Users\...\ZlxSqEyhCzs.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmp4E76.tmp, XML 10->35 dropped 37 C:\Users\user\...\order no. 43453.exe.log, ASCII 10->37 dropped 13 order no. 43453.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 Queues an APC in another process (thread injection) 13->67 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process7 dnsIp8 39 valiantbranch.com 34.102.136.180, 49763, 49764, 49775 GOOGLEUS United States 18->39 41 sphenecouture.com 160.153.133.87, 49772, 80 GODADDY-AMSDE United States 18->41 43 24 other IPs or domains 18->43 53 System process connects to network (likely due to code injection or exploit) 18->53 24 cmd.exe 18->24         started        signatures9 process10 signatures11 55 Modifies the context of a thread in another process (thread injection) 24->55 57 Maps a DLL or memory area into another process 24->57 59 Tries to detect virtualization through RDTSC time measurements 24->59 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 07:27:19 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhuj253g7ckmcawniso2zzpjyhxy6pg4ubyk6x3m4ivhon7lle5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
1158ff679fa556eb7dbe494126b16c5ec298f8f1a81463784d1c9ec8dc9b83f1
Formbook
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
Formbook
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
Formbook
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
Formbook
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
Formbook
debe2f7e0f2e18dff0c54f3809c66256f5741b5cf9e13e065593c005db9c22de
Formbook
f1c600a86d9492512f5c80574f885bc0b2c0f058419f58b1c8800eb6e1502713
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'320 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210112-nmz3zpm76j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/eaa72880-94c2-4bc9-8c88-c220a37b60bc/
SH256 hash:
fb611bf299ab7b55150ea40f8f2ef1c131d292ffab31369a24f4a0152524468b
MD5 hash:
0131f1de266877b3cf6e7b64cc9c00c9
SHA1 hash:
e590d22972198804095d28c13370c515302d141e
Link:
https://www.unpac.me/results/eaa72880-94c2-4bc9-8c88-c220a37b60bc/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/eaa72880-94c2-4bc9-8c88-c220a37b60bc/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
SH256 hash:
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
MD5 hash:
6ec0ad707cfd679db91e380648658a1c
SHA1 hash:
6522654f789b6da6045c244187c776401ae61b35
Link:
https://www.unpac.me/results/eaa72880-94c2-4bc9-8c88-c220a37b60bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 43b86813bda8cda2fa525cfb38f0982f8ea28a1bc32a5adf2120fffcb72eaace

Formbook

Executable exe b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a

(this sample)

  
Dropped by
MD5 8065b5a687e2ee6ba7329c7214b34603
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 43b86813bda8cda2fa525cfb38f0982f8ea28a1bc32a5adf2120fffcb72eaace
Cape
Cape
https://www.capesandbox.com/analysis/111438/

Comments