MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34
SHA3-384 hash: 63ba6d5e131de03846c1934b1b4a32a15efb26c97113d39bfa67b8e58ebe97daee894b5535468095313048292cb3dd8a
SHA1 hash: 94f02eaeac3c6552910ff5983a43eedb2822d63d
MD5 hash: dc2ddfdc1beb443beec66d168ed29422
humanhash: lamp-one-butter-skylark
File name:Haesung-tech-drawing-견적요청_해성190918.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:828'416 bytes
First seen:2020-11-19 06:42:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f19034443dbba8ae65cae64d05fef57a (13 x Loki, 3 x Formbook, 2 x AgentTesla)
ssdeep 12288:IbkNnMdUO4rvcMZKwangiFPWY/mnM44ZVA0hjQY0DxAB+ZfN:B6j4rvrKwang6WCxVA0dCA8ZfN
Threatray 2'972 similar samples on MalwareBazaar
TLSH 70058EAFA1A0483FC123163ADC1B5FA85936BE10F92869462BF41D4C5F396D178172BF
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ns.asakurasoft9.jp
Sending IP: 211.1.230.21
From: Haesung Tech Co., Ltd <giga-tech@daum.net>
Reply-To: giga-tech@daum.net
Subject: 조언: Request for quotation _ Haesung Tech
Attachment: Haesung-tech-drawing-견적요청_해성190918.img (contains "Haesung-tech-drawing-견적요청_해성190918.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/542293
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 04:30:12 UTC
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkmj5ya22onxr5drilswda7qsrwxjxwtjlitnjefo2s2tl7slq2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
005b07f4994dac828c9c730744e73a4fde81ce34bd642f6835985871a2fb0084
Formbook
0a52da9ff52bac0092e953e1127ddacb2875f1e908bcdcc0eb13559313978f1a
Formbook
321330f837123bfa71b5fba50ba33848c6060c72242e7cbfa37981f3e834719b
Formbook
5250b6aa047823e57f17d7f569816518b6acffce3ac870b2167b0cdc262b2bba
Formbook
76b5083ce1a34c82e63cded85ecdf767f9d254e99a0d49174fbdd4a449857e41
Formbook
797dd6c7fd666d180638505d42d8803dffa37e8b76104fe77b21a680524242e7
Formbook
8d9d204b265e613d2a41df6c62d082b49ca24f7d30e34773301e892d26f30091
Formbook
d5693be3b4e0d78485c00d409aedbe5cf18fd22c413fac48b44a4eaa0bbda668
Formbook
da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f
Formbook
e0f3cc45f5f9d758b91fc99dbc5b838e8658fa28bad234825318e18d11806681
Formbook
+ 2'962 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201119-c4hthdwhhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sunflowersbikini.com/o1u9/
Unpacked files
SH256 hash:
ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34
MD5 hash:
dc2ddfdc1beb443beec66d168ed29422
SHA1 hash:
94f02eaeac3c6552910ff5983a43eedb2822d63d
Link:
https://www.unpac.me/results/c5e43140-caed-4924-93d2-520837dc59c2/
SH256 hash:
a9094729830fcc5a5071904f48fcd3a804f02aef6782350b152d7650d38acc9f
MD5 hash:
09a722a8fc69e9097682425df7930673
SHA1 hash:
8a1a5492f2d8afa3efb788682895cf7f9d2f6f61
Link:
https://www.unpac.me/results/c5e43140-caed-4924-93d2-520837dc59c2/
SH256 hash:
63f19caf7c1b22ec4856b64cbfad0368755d7d917c5df022566b1b1f458a48f1
MD5 hash:
0a1360928d9421ecee80cc918fa7b9c3
SHA1 hash:
1ff361e0b52e323a16040767a1730eddfd8420b3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5e43140-caed-4924-93d2-520837dc59c2/
Parent samples :
005b07f4994dac828c9c730744e73a4fde81ce34bd642f6835985871a2fb0084
ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34
6ea42d461e10aa280c9a3bf273e6edfd0cf92a916f35768546ef7f09484c0829
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 4db61fcb86a27dbf0574068ff90a5ff66afaa614ae45ba7d6f191dd2d86d359c

Formbook

Executable exe ba989ee01ad39b78f47142e56183f0946d74ded34ad136a48576a5a9aff25c34

(this sample)

  
Dropped by
MD5 40a9926e5356e3a9db0679a6c0cd8bb8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4db61fcb86a27dbf0574068ff90a5ff66afaa614ae45ba7d6f191dd2d86d359c

Comments