MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
SHA3-384 hash: 4535b11b076a79652d5b2a7c79e17038801699d135c96b6859e9e5ddee454b8ebc183a4ad1194caeb0cd91078976d833
SHA1 hash: 7b66c8fa24e2a61a8afccfc6f05174b125b16b57
MD5 hash: 7326581121703045865e6e5d5363ac63
humanhash: sweet-early-kitten-bravo
File name:TN22020000560175.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'081'344 bytes
First seen:2020-12-31 07:51:37 UTC
Last seen:2020-12-31 09:41:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:5GSdRCcxDDkbvtPBuenYuMnYWjp+NH7Hh2q6Vb:cSdrJDkbNBuLTdjUNbB2
Threatray 3'314 similar samples on MalwareBazaar
TLSH EC35029187E55B50ED7CAB3828730C1317F3FC2EAA31D67EAD89B0541B739960132AB5
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: Zhang, Tomson <Tomson@coimtra.cam>
Subject: Re: R: I: R: PI-TN22020000560175
Attachment: TN22020000560175.rar (contains "TN22020000560175.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TN22020000560175.exe
Verdict:
Malicious activity
Analysis date:
2020-12-31 15:50:50 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/fead7226-f947-42d5-bab5-1bf8dd20ae6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110195/
Detection(s):
SecuriteInfo.com.Generic.mg.7326581121703045.13531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572509
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335317 Sample: TN22020000560175.exe Startdate: 31/12/2020 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 7 other signatures 2->56 10 TN22020000560175.exe 7 2->10         started        process3 file4 36 C:\Users\user\AppData\...\xQdxpnGubd.exe, PE32 10->36 dropped 38 C:\Users\...\xQdxpnGubd.exe:Zone.Identifier, ASCII 10->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1DE1.tmp, XML 10->40 dropped 42 C:\Users\user\...\TN22020000560175.exe.log, ASCII 10->42 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Injects a PE file into a foreign processes 10->62 14 TN22020000560175.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 TN22020000560175.exe 10->19         started        signatures5 process6 signatures7 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 44 thisisauckland.com 77.72.1.202, 49733, 80 KRYSTALGR United Kingdom 21->44 46 valiantbranch.com 34.102.136.180, 49730, 80 GOOGLEUS United States 21->46 48 23 other IPs or domains 21->48 58 System process connects to network (likely due to code injection or exploit) 21->58 27 msdt.exe 21->27         started        30 autoconv.exe 21->30         started        signatures10 process11 signatures12 64 Modifies the context of a thread in another process (thread injection) 27->64 66 Maps a DLL or memory area into another process 27->66 68 Tries to detect virtualization through RDTSC time measurements 27->68 32 cmd.exe 1 27->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xplgagaxco2heqgmmpqz52yfjag6pfbcxzz5cmyrhnshfxaxzesa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432
Formbook
828a9fae03e6a20158c58a659f27371fbe9a836199a3327fe5ef457115cf0206
Formbook
b475b8978e80b7cfc97d95df7e5c7b51efd86ec23d5257ec0c5aa40df7abf30a
Formbook
b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9
Formbook
d995c73f2e399b8c2fbb7c2fd6b32d7f91113cc86fa63fe560966f21e26c5ac1
Formbook
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
Formbook
f38659e0b47cf0d1c0a61aa87256fdf60d04b2f41a935995b2346849f2f6b246
Formbook
faedff8db790292491a47b0cc226a9150f3786fa84031f69cda2df5ba36c9543
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'304 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201231-gaxdykzerx/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2561fbd0-90c3-4f4b-bf3c-02f08e693c49/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
SH256 hash:
6dd20b7ab5506865e2a5699f0cb79fc61c753ef49d696b2242ea7962e50145f9
MD5 hash:
5ec7b963e6831867d0659b00b38e3bbd
SHA1 hash:
8f50fd865a046442f9d92f7113be06d09bc704be
Link:
https://www.unpac.me/results/2561fbd0-90c3-4f4b-bf3c-02f08e693c49/
SH256 hash:
fd321cd8213d6b2547e222ed488001c9bb8c45fae9d44f9f9ea207e649d99597
MD5 hash:
d5d2f9db68f7869f1c2711290d806ec0
SHA1 hash:
6f7772ff2c01ab8826072dbbd2e1abed8e3041b0
Link:
https://www.unpac.me/results/2561fbd0-90c3-4f4b-bf3c-02f08e693c49/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/2561fbd0-90c3-4f4b-bf3c-02f08e693c49/
SH256 hash:
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
MD5 hash:
7326581121703045865e6e5d5363ac63
SHA1 hash:
7b66c8fa24e2a61a8afccfc6f05174b125b16b57
Link:
https://www.unpac.me/results/2561fbd0-90c3-4f4b-bf3c-02f08e693c49/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f706b95dc39e74ee811b7da41abb27236691c69cc36cd0c20eaf37bc7ea5a6ac

Formbook

Executable exe bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924

(this sample)

  
Dropped by
MD5 6dfde8074dab8fa763de2ed0bf8cbb2a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f706b95dc39e74ee811b7da41abb27236691c69cc36cd0c20eaf37bc7ea5a6ac
Cape
Cape
https://www.capesandbox.com/analysis/110195/

Comments