MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bec4389116e13ab9a8873d6f5c875044fc2cc92f5a462ad9fe5aeeef9a2ee1c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bec4389116e13ab9a8873d6f5c875044fc2cc92f5a462ad9fe5aeeef9a2ee1c1
SHA3-384 hash: 7cde07ae290d3a962a97b0ad32449a42950d16bf1fda9f78aec566ff8e500389ebe773fcddfedb8f13dcaa32816bd5da
SHA1 hash: d9469de97fadd32fb7db5a75199305fb42b24a0d
MD5 hash: 251c9070dfe43f5ec27a10d1f5956fe5
humanhash: oregon-potato-tango-delaware
File name:new quotation order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'060'864 bytes
First seen:2020-11-24 15:26:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:sEnXelQrSh0HJn0eHjD8BUZuA4uSl/NiyKB4x:XCkWS8UZuA47Piy
Threatray 3'032 similar samples on MalwareBazaar
TLSH 9B35E065B399BF01E1BD473A88E0142193F6EC069AA2C52E7DEC749D1FB1FDC8921607
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546150
Signature
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322171 Sample: new quotation order.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 100 42 g.msn.com 2->42 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 8 other signatures 2->56 11 new quotation order.exe 3 2->11         started        signatures3 process4 file5 38 C:\Users\user\...\new quotation order.exe.log, ASCII 11->38 dropped 68 Injects a PE file into a foreign processes 11->68 15 new quotation order.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 15->18 injected process9 dnsIp10 44 themillticket.com 34.102.136.180, 49745, 49746, 49747 GOOGLEUS United States 18->44 46 lourdeszamalloa.com 160.153.136.3, 49735, 49736, 49737 GODADDY-AMSDE United States 18->46 48 5 other IPs or domains 18->48 58 System process connects to network (likely due to code injection or exploit) 18->58 22 ipconfig.exe 18 18->22         started        26 autofmt.exe 18->26         started        signatures11 process12 file13 34 C:\Users\user\AppData\...\36Mlogrv.ini, data 22->34 dropped 36 C:\Users\user\AppData\...\36Mlogri.ini, data 22->36 dropped 60 Detected FormBook malware 22->60 62 Tries to steal Mail credentials (via file access) 22->62 64 Tries to harvest and steal browser information (history, passwords, etc) 22->64 66 3 other signatures 22->66 28 cmd.exe 2 22->28         started        signatures14 process15 file16 40 C:\Users\user\AppData\Local\Temp\DB1, SQLite 28->40 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 28->70 32 conhost.exe 28->32         started        signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bec4389116e13ab9a8873d6f5c875044fc2cc92f5a462ad9fe5aeeef9a2ee1c1/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 05:02:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3cdreiw4e5ltkehhvxvzb2qit6czsjpljdcvwp6llxo7gro4haq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
03c495ebfcd620a041e0e06a8f25150e27ad5445f31d1fcd502c1845ae1ad87b
FormBook
201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
FormBook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
FormBook
83b4f4fef30eb6e425229b53856cca35eca4a11ea3f5ef182a525444ba122661
FormBook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
FormBook
8de3d12f5661c36ae89e13085dc5d4c6db3000e434f960eb80adece4aaae8219
FormBook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
FormBook
a244a77f990bdec5f4f81d605990749206b6e5827e4bc140b9b4b2fbfdb0bb12
FormBook
ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
FormBook
f071c302252202ae71dd004191dad662307c670d95b53b7c0f5d0c8c039e9e7b
FormBook
+ 3'022 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201124-vw3zz4cvd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wholesalebrands.xyz/mkr/
Unpacked files
SH256 hash:
bec4389116e13ab9a8873d6f5c875044fc2cc92f5a462ad9fe5aeeef9a2ee1c1
MD5 hash:
251c9070dfe43f5ec27a10d1f5956fe5
SHA1 hash:
d9469de97fadd32fb7db5a75199305fb42b24a0d
Link:
https://www.unpac.me/results/adb2afdb-6550-42e5-b719-bc3f25654d88/
SH256 hash:
ab94e33f48ca834505e7b98c723a2dabf82dac39c478316bc24dc3695143ecc7
MD5 hash:
f57f742d4192acb830b5660e3cbdabd7
SHA1 hash:
0ae36e34306c6b07e64e361763c700f44017dcbd
Link:
https://www.unpac.me/results/adb2afdb-6550-42e5-b719-bc3f25654d88/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/adb2afdb-6550-42e5-b719-bc3f25654d88/
SH256 hash:
aa7d2b07b667dcd89a375075d424d24c7b259ad23aa9d97fa15cd8a92f071076
MD5 hash:
833eca87c44ec5e83afc855b37635bbb
SHA1 hash:
3223e1888ccd816f0a5165e29d22070b4c8aa75f
Link:
https://www.unpac.me/results/adb2afdb-6550-42e5-b719-bc3f25654d88/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/adb2afdb-6550-42e5-b719-bc3f25654d88/
SH256 hash:
f5cf2fd415daaec5afaf7eaa946347bb5f7650207096ba926cb20bc90c7e0598
MD5 hash:
15992cee40af76e748679b15aeeaa13c
SHA1 hash:
8300655c51ecb1bee0ca68f1f95a5e49258f9cb3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/adb2afdb-6550-42e5-b719-bc3f25654d88/
Parent samples :
83b4f4fef30eb6e425229b53856cca35eca4a11ea3f5ef182a525444ba122661
bec4389116e13ab9a8873d6f5c875044fc2cc92f5a462ad9fe5aeeef9a2ee1c1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bec4389116e13ab9a8873d6f5c875044fc2cc92f5a462ad9fe5aeeef9a2ee1c1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments