MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833
SHA3-384 hash: 5f84ee0c579d974d7250eb8771fcea2c0c5cfab9e31a7ae5383d0db0330c54d7bc67057d23456d712288ccb16bba9c62
SHA1 hash: d6bffb32eabfd79662d155bdf9bd2ad4fd4bc886
MD5 hash: 779155a1566955eb97c362791648bf01
humanhash: massachusetts-stairway-seven-video
File name:Request for quotation, Purchase Order no 1093121.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:776'192 bytes
First seen:2021-01-07 14:01:06 UTC
Last seen:2021-01-07 15:32:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:dfDl+/VCgLtJ79MEGv70jv9m/n9HTDTkI/VxwvKZRLufgJiZvh:hl+Ppg0TmnxTDTkI/VxvR1JiZ
Threatray 3'313 similar samples on MalwareBazaar
TLSH 97F49E6362D62B91E439D374D4156400B3E1ACCED272F63E3DDBF09A4C76A9301B6A36
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server3.bsname.com
Sending IP: 111.91.236.19
From: Joseph Liew <joseph.liew@petronas.com>
Reply-To: Joseph Liew <josephp.liew@outlook.com>
Subject: [Petronas]: Request for quotation, Purchase Order no: 1093121
Attachment: Request for quotation, Purchase Order no 1093121.zip (contains "Request for quotation, Purchase Order no 1093121.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for quotation, Purchase Order no 1093121.exe
Verdict:
Malicious activity
Analysis date:
2021-01-07 14:12:14 UTC
Tags:
formbook trojan stealer
Link:
https://app.any.run/tasks/7a4b2119-36be-4037-aa8f-b0ad443f4df6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110828/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.19672.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/575929
Signature
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337020 Sample: Request for quotation, Purc... Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 10 Request for quotation, Purchase Order no 1093121.exe 3 2->10         started        process3 file4 34 Request for quotat... no 1093121.exe.log, ASCII 10->34 dropped 52 Injects a PE file into a foreign processes 10->52 14 Request for quotation, Purchase Order no 1093121.exe 10->14         started        17 Request for quotation, Purchase Order no 1093121.exe 10->17         started        19 Request for quotation, Purchase Order no 1093121.exe 10->19         started        21 Request for quotation, Purchase Order no 1093121.exe 10->21         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 23 explorer.exe 14->23 injected process8 dnsIp9 36 www.iric-canada.net 162.255.119.136, 49746, 80 NAMECHEAP-NETUS United States 23->36 38 deejayatl.com 34.102.136.180, 49742, 80 GOOGLEUS United States 23->38 40 4 other IPs or domains 23->40 50 System process connects to network (likely due to code injection or exploit) 23->50 27 svchost.exe 23->27         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 27->54 56 Maps a DLL or memory area into another process 27->56 58 Tries to detect virtualization through RDTSC time measurements 27->58 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-07 14:02:06 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x44miikxvmqdrptk4n2hthfyzuwflovkiwvq6ss7ridowdcbvazq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
073c6184b73bb8ae675774bd64e81e1023f6df992fb763358f9653d980e4b55e
Formbook
18c2c7353431fb6ef10a1a3a8abd5219e4cc4f669c56bf4f68bc6d5e2246a806
Formbook
1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32
Formbook
1dba234b02f09529474a95cfa6bd1f25380b484e2a35ead62e8caca5976abb97
Formbook
59ce83a6f502ce8e4d717a387bebf425424a566eaa9e8c2c4a24fe864afc1679
Formbook
73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
Formbook
b3420cc90cce972045db0377a5c383ce049652650946b0c84f27280a7dbd1e38
Formbook
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
Formbook
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 3'303 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210107-k53whwd2ce/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.deejayatl.com/khm/
Unpacked files
SH256 hash:
bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833
MD5 hash:
779155a1566955eb97c362791648bf01
SHA1 hash:
d6bffb32eabfd79662d155bdf9bd2ad4fd4bc886
Link:
https://www.unpac.me/results/28eb8eb2-b7df-4a06-940e-8fb717533cd2/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/28eb8eb2-b7df-4a06-940e-8fb717533cd2/
SH256 hash:
7d078e91e73d6f2a23e12bec55f85b3aeabe47e1bd6d134beaed99a3f1a278e1
MD5 hash:
f4aa8bba7221fcb51337d7873173dc3e
SHA1 hash:
8d1a9678b4271d4367d24e59fee13295cc5ba491
Link:
https://www.unpac.me/results/28eb8eb2-b7df-4a06-940e-8fb717533cd2/
SH256 hash:
d074d81c4f3f8ba7ba0b7e2f5c95d0c7943d201df80c97825891cf6590155104
MD5 hash:
57adcb2330050f5528e283536a66f645
SHA1 hash:
5b9e9961e5d491bc436e9e5a5906212486c1e5c1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/28eb8eb2-b7df-4a06-940e-8fb717533cd2/
Parent samples :
73b51938efd53695a02c86e7bf50fac91203e43b5808758b2a698ef10475d264
bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833
8cfcf36016d933b2dee4ecea9f2d0416444fda668345c0cf82845f49962cd013
94ff08030a3e4421baf3ad3489d4d757dd4e8aab659aa8a06f99d2d81526d17e
f8efa3021228dad9812ac764085f791117265d9859bfb5ed21e07f04f1cb0b5f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 0c125aaea07b9b97fedc0e2022f3951ef3cdefda9110c3b1f4955abeeed9ac22

Formbook

Executable exe bf38c42157ab2038be6ae374799cb8cd2c55baaa45ab0f4a5f8a06eb0c41a833

(this sample)

  
Dropped by
MD5 bc32021093147eac3742eba7f8a42532
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110828/
  
Dropped by
SHA256 0c125aaea07b9b97fedc0e2022f3951ef3cdefda9110c3b1f4955abeeed9ac22

Comments