MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034
SHA3-384 hash:	78d985e9e28f5f7d0c13ef3c6a7055a583facad228a66d406b603922b36276b5f51ade34d24d74a4404dd72959ab76df
SHA1 hash:	df33a4a91f50e49ee7c3283b1022024fca7ceade
MD5 hash:	525cb22afe0244e45b2831b243b27a68
humanhash:	avocado-fix-shade-mars
File name:	한라산업개발(2021.04.12).exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	698'880 bytes
First seen:	2021-04-12 06:05:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:eUA8Dpprq/7mz98ARu519pEpCPXD3XkeXxSHnob0agtjty2PouxcM1:eUA8iy5NO1YGnzQZnyIL
TLSH	B1E4F1207BD6C752C93A07F69432900307BAF1DE7817EBA84D4590DA2526F4C9DEADE3
Reporter	abuse_ch
Tags:	exe FormBook geo KOR

abuse_ch

Malspam distributing unidentified malware:

HELO: mail-smail-vm47.hanmail.net
Sending IP: 203.133.180.235
From: Deoksang ENG <iodo3@daum.net>
Subject: 설계서 및 견적서 요청에 관한 건
Attachment: 한라산업개발(2021.04.12).zip (contains "한라산업개발(2021.04.12).exe")

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

한라산업개발(2021.04.12).exe

Verdict:

Suspicious activity

Analysis date:

2021-04-12 06:43:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bad80b21-39f3-4f22-b2c6-77dbf41f72bf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/133627/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.644.15344.7231.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/672654

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034/

Threat name:

ByteCode-MSIL.Trojan.Woreflint

Status:

Malicious

First seen:

2021-04-12 06:06:07 UTC

AV detection:

10 of 48 (20.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xs64c4rnqlh52agwosdfje3523tzxalgdxyvt2utq7lb6pwtqa2a._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/210412-n4g7zeedqa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.visitmatchgo.com/duy/

Unpacked files

SH256 hash:

45f3e22cf4f1b01114e34da31666d712761961d27a1714f5c2052ef22eee324d

MD5 hash:

8cc5d22083ead0fed30d2e6136eda712

SHA1 hash:

0b5214a8661e2af4486d95be9b6bd345dbdbd673

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/a8c5c49f-5e06-4d43-b6fc-a690185138b3/

Parent samples :

f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13
bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034

SH256 hash:

4e66c15ef543d33d970e40438e7c6e2d5a2db6f687247577c522fe340503dd84

MD5 hash:

17cbbb3cd0f5cd950f9cd7c7143f35ba

SHA1 hash:

2b17ebbeddb9d9399615c9d473eadf1f87ccf5aa

Link:

https://www.unpac.me/results/a8c5c49f-5e06-4d43-b6fc-a690185138b3/

SH256 hash:

fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5

MD5 hash:

8b603b23caf00139206f293eb741a9f0

SHA1 hash:

1cc90aec7ce07b13930fe0c088fe3cd155b3ea07

Link:

https://www.unpac.me/results/a8c5c49f-5e06-4d43-b6fc-a690185138b3/

SH256 hash:

bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034

MD5 hash:

525cb22afe0244e45b2831b243b27a68

SHA1 hash:

df33a4a91f50e49ee7c3283b1022024fca7ceade

Link:

https://www.unpac.me/results/a8c5c49f-5e06-4d43-b6fc-a690185138b3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time