MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be770e407dcedcafe214f75273fbbbd7264c1c7c48dbc6da8764add43296adce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be770e407dcedcafe214f75273fbbbd7264c1c7c48dbc6da8764add43296adce
SHA3-384 hash: 7e5a8ad62a4690ec031747ccb7aefaa76c09804b079abfe28b4fc8b8d3c2e4bbba3092aedcacadb85d67030a2ecad54f
SHA1 hash: 9230905d50e7a13937bb1f076f63f0da962864c1
MD5 hash: e079c68325f24f2ddd7c677d3d90393c
humanhash: five-quiet-maryland-high
File name:SCAN_20210112_132640143,pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:862'208 bytes
First seen:2021-01-12 07:25:29 UTC
Last seen:2021-01-12 08:55:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:IBem76Crdsoznl9N9zZVSWavwO2PGhBIKisqIEm5C6ey3m9F6J:IBR7TrSo7Jtt8D2ehBIKzEuF3m9o
Threatray 3'341 similar samples on MalwareBazaar
TLSH FF056A61DB929711D7AC13FD2411006227E5CF69F3E8EB68ED9970B26F76A2801FD1C2
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail-smail-vm31.hanmail.net
Sending IP: 203.133.180.215
From: 태림종합건설 <e-taelim@hanmail.net>
Subject: 우리를_인용하십시오 (원소재 요청드립니다.)
Attachment: SCAN_20210112_132640143,pdf.cab (contains "SCAN_20210112_132640143,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SCAN_20210112_132640143,pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 08:17:41 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/fdb43e3e-6d92-41a6-bd67-442669c3b372

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111433/
Detection(s):
SecuriteInfo.com.HEUR.QVM03.0.8E22.Malware.Gen.29231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578734
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338416 Sample: SCAN_20210112_132640143,pdf.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 8 other signatures 2->52 10 SCAN_20210112_132640143,pdf.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\cLTxxXwSGp.exe, PE32 10->32 dropped 34 C:\Users\...\cLTxxXwSGp.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp7322.tmp, XML 10->36 dropped 38 C:\...\SCAN_20210112_132640143,pdf.exe.log, ASCII 10->38 dropped 62 Tries to detect virtualization through RDTSC time measurements 10->62 14 SCAN_20210112_132640143,pdf.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.kmc-commerce.com 188.93.150.114, 49773, 80 SIGNET-ASSignetBVNL Netherlands 19->40 42 whatsagrouplinks.com 199.193.115.48, 49768, 80 HVC-ASUS United States 19->42 44 5 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 systray.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be770e407dcedcafe214f75273fbbbd7264c1c7c48dbc6da8764add43296adce/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 05:50:52 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xz3q4qd5z3ok7yqu65jhh65324teyhd4jdn4nwuhmsw5imuwvxha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
Formbook
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
5de53b92c1f20755b6ff2884cdfdbbca9d1a4b9d138f5b7e559c5605460b277c
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
9728048925e7faf422c4d7bacfaa90fae8bdcc9efad8a0868b456f3d4b213d09
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
+ 3'331 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210112-rw5nn2ykvx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.alterhigh.com/rmck/
Unpacked files
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/6eb0276e-c6b2-4a89-a782-9103ade78d38/
SH256 hash:
b2cab21ca6ac6d18f904ba323c82a8c204f24db9a940add131234c963c63fc76
MD5 hash:
d192dd1d941a54c052cacef8b605f2e4
SHA1 hash:
15af4f3afacce1706008bed906f8eb94eaa71354
Link:
https://www.unpac.me/results/6eb0276e-c6b2-4a89-a782-9103ade78d38/
SH256 hash:
ff5b84324353e18879da051d023f4d4b95651525a0fabe15112d7c06702b8222
MD5 hash:
44f92a95adfee8a2605998534f25428e
SHA1 hash:
f2cfc7b3386eb14719f3ba8427ff3c4331761bd2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6eb0276e-c6b2-4a89-a782-9103ade78d38/
SH256 hash:
be770e407dcedcafe214f75273fbbbd7264c1c7c48dbc6da8764add43296adce
MD5 hash:
e079c68325f24f2ddd7c677d3d90393c
SHA1 hash:
9230905d50e7a13937bb1f076f63f0da962864c1
Link:
https://www.unpac.me/results/6eb0276e-c6b2-4a89-a782-9103ade78d38/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be770e407dcedcafe214f75273fbbbd7264c1c7c48dbc6da8764add43296adce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab c9450a71b733b676444075423932f94082ac7d409aaee9a68adb15c507231bab

Formbook

Executable exe be770e407dcedcafe214f75273fbbbd7264c1c7c48dbc6da8764add43296adce

(this sample)

  
Dropped by
MD5 43494d6169afd958a81595f294edf204
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111433/
  
Dropped by
SHA256 c9450a71b733b676444075423932f94082ac7d409aaee9a68adb15c507231bab

Comments