MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c210aaa467b87329ad410c0d0538011014506c758026f3154fc2ba7003069b72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c210aaa467b87329ad410c0d0538011014506c758026f3154fc2ba7003069b72
SHA3-384 hash: 130cbc87f4ab19b8262a33cec7691b592a2858cb7866879c63693bb4e99f4f679ee2643f0084a51600bcfbec92fda828
SHA1 hash: 0bc9e074707b0313bfe06ae1299eed8035803e17
MD5 hash: 057614f5ea77dd2feffece63e20d4bce
humanhash: happy-september-butter-papa
File name:PURCHASE ORDER CONFIRMATION.xlsx
Download: download sample
Signature Formbook
Create hunting rule
File size:701'440 bytes
First seen:2020-08-18 12:44:35 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/encrypted
ssdeep 12288:cAicWm45yCWZPX/A5xz2f0zZQ6hGi2VtqlKuJmry0fn1bGsgzZT4bGEGj:9icJZP45h8yZ/oi2VtJ7f1b8zebJGj
TLSH E9E423AEACD0EF53CE37B2BB9B5D9AF2542DEC739B40508350A432079CB0B505DB1268
Reporter abuse_ch
Tags:FormBook xlsx


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: fr1-cp01-eq.cpanel-srv.com
Sending IP: 185.184.71.3
From: EASTERN BROTHER SHIPPING CO.,LIMITED <lefteris@kontogiorgakis.gr>
Reply-To: shippingebs@vip.163.com
Subject: RE: Purchase order confirmation and proforma invoice
Attachment: PURCHASE ORDER CONFIRMATION.xlsx

FormBook payload URL:
http://chinese2stdyonlyywalkaloneinlifev18tfd.duckdns.org/chnsfrnd2/winlog.exe

FormBook C2:
http://www.flekcht.com/ngh/

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Doc.Packed.EncryptedDoc-6563700-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Deleting a recently created file
Setting browser functions hooks
Sending an HTTP GET request
Launching a file downloaded from the Internet
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c210aaa467b87329ad410c0d0538011014506c758026f3154fc2ba7003069b72/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 02:19:52 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yiikvjdhxbzstlkbbqgqkoabcakfa3dvqatpgfkpyk5haaygtnza._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200818-7kqvg5y6m6/
Behaviour
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Adds policy Run key to start application
Blacklisted process makes network request
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/ngh/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c210aaa467b87329ad410c0d0538011014506c758026f3154fc2ba7003069b72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx c210aaa467b87329ad410c0d0538011014506c758026f3154fc2ba7003069b72

(this sample)

Formbook

Executable exe 839856ed87695990bbed8a508ff2645ad729f46753fe487a286361a15aa2ea94

  
URLhaus
https://urlhaus.abuse.ch/url/434500/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 839856ed87695990bbed8a508ff2645ad729f46753fe487a286361a15aa2ea94
  
Dropping
MD5 194104a943f670cf0f7d47cdfcf832d8

Comments