MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
SHA3-384 hash: 8f000d2daf859e65573e758fe772a1e182a98a725ea6a7684e335b9573e2ca50ad22152068138760ba960ca19964e1d3
SHA1 hash: 05fc99cda430daa8bb5858d8fb5f2e07a9e39afa
MD5 hash: 7c070cf385827c93cc9a077f5e4b0a21
humanhash: dakota-enemy-lake-coffee
File name:ant.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:553'454 bytes
First seen:2020-11-18 12:55:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:WanOcqP8FnFA7Y/ZLPeRLNH5TsbtNDkYa+ETBdg8R8sJwhhuBaF6I2:gGW7YRgxH5TUwBKfsJFBav2
Threatray 3'575 similar samples on MalwareBazaar
TLSH E7C4239F1B80F41DE820157010BAEDD9EFD2F4E81AD8C382EF576D7E341A5A6D90E852
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail.mammoth.local
Sending IP: 210.255.88.226
From: "Allen Wu" <nestley@tpg.com.au>
Subject: RE: 采凡- 詢價 124
Attachment: Nov Order 17-08-20TNQ1.zip (contains "ant.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541075
Signature
Creates executable files without a name
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319640 Sample: ant.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 42 www.wellnesspharma.net 2->42 44 wellnesspharma.net 2->44 46 www.pyskah.com 2->46 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 2 other signatures 2->68 12 ant.exe 65 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\DrongoAccord.dll, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\.dll, GIF 12->36 dropped 38 C:\Users\user\AppData\...\vswebdesignedui.dll, PE32 12->38 dropped 40 8 other files (none is malicious) 12->40 dropped 86 Creates executable files without a name 12->86 16 rundll32.exe 12->16         started        signatures6 process7 signatures8 56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->56 58 Hijacks the control flow in another process 16->58 60 Maps a DLL or memory area into another process 16->60 19 cmd.exe 16->19         started        process9 signatures10 70 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->70 72 Modifies the context of a thread in another process (thread injection) 19->72 74 Maps a DLL or memory area into another process 19->74 76 3 other signatures 19->76 22 explorer.exe 19->22 injected process11 dnsIp12 48 www.wwwmmcguard.com 81.17.18.198, 49748, 80 PLI-ASCH Switzerland 22->48 50 spidermenroofsupport.com 34.102.136.180, 49740, 80 GOOGLEUS United States 22->50 52 8 other IPs or domains 22->52 78 System process connects to network (likely due to code injection or exploit) 22->78 26 raserver.exe 12 22->26         started        signatures13 process14 dnsIp15 54 www.peipei521.com 26->54 80 Modifies the context of a thread in another process (thread injection) 26->80 82 Maps a DLL or memory area into another process 26->82 84 Tries to detect virtualization through RDTSC time measurements 26->84 30 cmd.exe 1 26->30         started        signatures16 process17 process18 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37/
Threat name:
Win32.Trojan.Delikle
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 01:41:45 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ylwzu4d32egu3hmsshi7266hgfwyvahyi23cmpeab74jrbledy3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
242713ef2f372f0d39ca8f01bd09c9f99bcfe850e156621c023dd9e0bfb9bd95
Formbook
6142ce64bdf7d4373dedcadb54fb06efed10595a65713783f2930eb1ebb9f989
Formbook
7228df4e99446bc90a54ff9f01d2f77a10dc39a8def840bbacc1563bd1e633ef
Formbook
8bcdcd3db1dd3688101b18e4c090194ce7ac4e96ef206e56d5595e467cf25e46
Formbook
959621ed5f48dbbefe1c0e0e0a87bba88bc7a6b39cd1e10af930e1b969de9f97
Formbook
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
Formbook
a102c4a2dfca8c218f1e65cbb5050012da856c3deba018d8c238fa9b09dd3a2b
Formbook
b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3
Formbook
d30b949fc05b15b611b3fe420b6883062c5bb2b270c769540c48f703a46cbbf3
Formbook
dafbe8f50df58d704b31ddd6cde8fafa09627ffc4dc63b774104376fe924c3e9
Formbook
+ 3'565 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201118-a6v1kktb7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wellnesspharma.net/94sb/
Unpacked files
SH256 hash:
c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
MD5 hash:
7c070cf385827c93cc9a077f5e4b0a21
SHA1 hash:
05fc99cda430daa8bb5858d8fb5f2e07a9e39afa
Link:
https://www.unpac.me/results/da7bb32a-fcea-4e23-a886-b3e10d9275ca/
SH256 hash:
3d69ad555d5a03d2fa753247f88af590f32b10300fa31b8efb7903f1120bf74b
MD5 hash:
952cabb69db875a125b9e9fb7a0be671
SHA1 hash:
2103598fde145b28d0adcfba1a9d0f2910ccb6be
Link:
https://www.unpac.me/results/da7bb32a-fcea-4e23-a886-b3e10d9275ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c93b899a9ed79d10e552fada99ddd1466976687fe491457a9ca53a0083c11ee8

Formbook

Executable exe c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37

(this sample)

  
Dropped by
MD5 999a28c462fdca7e0ea8738355debc33
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c93b899a9ed79d10e552fada99ddd1466976687fe491457a9ca53a0083c11ee8

Comments