MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
SHA3-384 hash: 48eee6fb16ba13764634feb3160677cf1cf5559bab85413f8b69de7b3cba918479a0e553791404a89b76d2c3fd2774b5
SHA1 hash: 53a24cfd0252caaf3e88c8b8be17436f6ac054f9
MD5 hash: 358dcdb4abed9fb934f769d7a6eb2749
humanhash: emma-nebraska-sierra-pip
File name:Purchase Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:542'208 bytes
First seen:2020-10-21 09:56:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KqT27ROZIFFQvKmG7Di2oLYabqqqDnMmFSWENvhfikkK:KU2w8s2nabqVDnMmFpwh6m
Threatray 2'673 similar samples on MalwareBazaar
TLSH B9B4F1312B58EF30E17E533E59A4101017F9ED46E723C62EBDF920DD9AA6BA54072723
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.fore-mbaume.com
Sending IP: 45.95.169.145
From: Mashalla.Gogadi <info@fore-mbaume.com>
Subject: Purchase Order
Attachment: Purchase Order.r11 (contains "Purchase Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73969/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505658
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 301890 Sample: Purchase Order.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 40 www.patel.enterprises 2->40 42 patel.enterprises 2->42 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 10 other signatures 2->56 11 Purchase Order.exe 7 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\kIuCAVbyktZlo.exe, PE32 11->32 dropped 34 C:\...\kIuCAVbyktZlo.exe:Zone.Identifier, ASCII 11->34 dropped 36 C:\Users\user\AppData\Local\...\tmpB297.tmp, XML 11->36 dropped 38 C:\Users\user\...\Purchase Order.exe.log, ASCII 11->38 dropped 14 MSBuild.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 2 other signatures 14->72 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 44 ghs.googlehosted.com 172.217.168.19, 49736, 80 GOOGLEUS United States 19->44 46 heatherbeautybox.com 34.102.136.180, 49738, 49740, 80 GOOGLEUS United States 19->46 48 3 other IPs or domains 19->48 58 System process connects to network (likely due to code injection or exploit) 19->58 25 cscript.exe 19->25         started        signatures10 process11 signatures12 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 01:58:24 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xu57jh2fl5izrcbhfxp6h2nama4vrzsohpwvvaahrpo7mutw33za._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08358d0a1584bef3d83e4a3c99d186e8078d398f3d7816df714315eb3c08d527
Formbook
20c0aebe7cad9faafeff8655a50fb31ef9e91208f17035f3b90b91ab8fce0e86
Formbook
3ba3652f91657ae971efd9b9f9b6e6ebee6dbe4e23c2837825d21c7bd7997aac
Formbook
8348c6c60034429d7bca499c5cfb52d04f0705cda36665cbff5db267958811ef
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853
Formbook
ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f
Formbook
fea590dbb8987a6358d6708c5728826c5dc44c943ff4145ab1bc6d110c03e13c
Formbook
+ 2'663 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201021-d63ak86v6j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.kiddikutter.site/ry0g/
Unpacked files
SH256 hash:
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
MD5 hash:
358dcdb4abed9fb934f769d7a6eb2749
SHA1 hash:
53a24cfd0252caaf3e88c8b8be17436f6ac054f9
Link:
https://www.unpac.me/results/8891d719-7e60-4b41-a979-7c279e3af0c5/
SH256 hash:
38e069ef36315a444896bfe3bcc66379aa5473b808a7b386f9edac9f23ccef3b
MD5 hash:
9d4b0e4efa2b5bf16f728f5a739e8bb5
SHA1 hash:
220cdc7b9fc6600fce30c4a36c89f91e6d3650f4
Link:
https://www.unpac.me/results/8891d719-7e60-4b41-a979-7c279e3af0c5/
SH256 hash:
7a879238a4fb656b77bb2ae3d745511c6c3b8c00642bc9fd2346dd22bff10694
MD5 hash:
0484cc4d71818a44f4e6c73d1f259ad4
SHA1 hash:
6851057d0a516c30f368d7ab8d6c955aca2c2c03
Link:
https://www.unpac.me/results/8891d719-7e60-4b41-a979-7c279e3af0c5/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/8891d719-7e60-4b41-a979-7c279e3af0c5/
SH256 hash:
045a97c9e8e414d4cbefdc6b0c418475acd6e7704251a3e7dc309ddade84633d
MD5 hash:
146253e8d0f5e14ba40d8eaa920c87ca
SHA1 hash:
f1c9e84195ffece79656a9ceb49bd80809651828
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8891d719-7e60-4b41-a979-7c279e3af0c5/
Parent samples :
bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2
52f5f69cea97498f63733e3ea43b67e840177c68d4370531a008c6e7f4fc9abb
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar d681facd2e5ba7b9f6331029b1963b05edea582ed1db5ca8afdcf1a73d2dacd6

Formbook

Executable exe bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2

(this sample)

  
Dropped by
MD5 42463cd5943c3533be312ba13fd4a27f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73969/
  
Dropped by
SHA256 d681facd2e5ba7b9f6331029b1963b05edea582ed1db5ca8afdcf1a73d2dacd6

Comments