MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
SHA3-384 hash: c636363cccebaa8900e759d3ad5a2c8a9dee24891b6ff2ab13ff31e2fb404bcf8551d9943543554e2dbc5329d124605f
SHA1 hash: 0d04e357ccb332b63b1a8d9d4e9f6b889c2f0b77
MD5 hash: 673900f8da4aa24a77f61417d0273d85
humanhash: red-quiet-chicken-mobile
File name:PO-000202112.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'073'152 bytes
First seen:2021-01-13 07:40:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:sYz4iC+zzA40cLpjos3s9j6AHsQ9LxxrsfyXGFbKjaiRiK0bq7cx:suvzAncVn3sMQ9jNEK/T0G7c
Threatray 3'393 similar samples on MalwareBazaar
TLSH 73352A40BBE81700F3BD27BC693440615BF5FB95A7B8E31CF86C506A1BA2D5085BE762
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail-smail-vm87.hanmail.net
Sending IP: 211.231.106.162
From: 일동건설(주) <kkss8504@hanmail.net>
Subject: 우리를_인용하십시오 (원소재 요청드립니다.)
Attachment: PO-000202112.cab (contains "PO-000202112.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-000202112.exe
Verdict:
Malicious activity
Analysis date:
2021-01-13 09:26:03 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/e3638990-d1a2-4707-9ca8-fcf07bda2b8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111742/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6561.20828.4607.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579914
Signature
.NET source code contains potential unpacker
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339003 Sample: PO-000202112.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 41 www.twin-force.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 11 PO-000202112.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\KUrQojFHu.exe, PE32 11->33 dropped 35 C:\Users\...\KUrQojFHu.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmpFBD.tmp, XML 11->37 dropped 39 C:\Users\user\...\PO-000202112.exe.log, ASCII 11->39 dropped 65 Tries to detect virtualization through RDTSC time measurements 11->65 15 PO-000202112.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.freisaq.com 63.250.34.114, 49702, 80 NAMECHEAP-NETUS United States 20->43 45 www.lassgal.com 185.212.130.9, 49703, 80 INTERNET-ITNL Germany 20->45 47 2 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 cmstp.exe 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 07:41:21 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yotj3odefbk6dx6lzmqt67yfbrp3fwdhiqmdwe2igqi7s4ajykqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0b69258626ece584131b49ae0aa317153d7b4ae602e7f936be7f462905cd9d8a
Formbook
1b514f5e6484c97155dda3e6ee1073f41f19318af2d00d0bec33c6dc7844c3f6
Formbook
3dde92f19924860f0874ee0fe3fab80a1112c20e18d9782528bd7c471f0f2344
Formbook
3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd
Formbook
5b7c7d4bf17521dddc7ee1accfee37d1b50e89f634e7c67439ae92dcef4c32e3
Formbook
6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a
Formbook
77cc0ec039c99a695a94081d8462ee42b5b526a1da92bf05c65f3ff8fd40ec0c
Formbook
7c7f99d2b695777b5809dcee0723304b77a06ea8c72ec8a9e0967e4d8584d585
Formbook
9010e5361743ddacac6baa4a585ed4d9db9ed3ce65401b012d16923afebe414f
Formbook
d236ee873e8191d24434226bc7b80f0542db7ed43323181b5ee8bc3a3de052cc
Formbook
+ 3'383 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210113-qpr2ssfnns/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.culturespk.com/kbl/
Unpacked files
SH256 hash:
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
MD5 hash:
673900f8da4aa24a77f61417d0273d85
SHA1 hash:
0d04e357ccb332b63b1a8d9d4e9f6b889c2f0b77
Link:
https://www.unpac.me/results/f0e92d95-51c7-4ab3-b5af-1129fb854247/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/f0e92d95-51c7-4ab3-b5af-1129fb854247/
SH256 hash:
a1c3702f0181b691fdd05bc1740bb44fda84786a7a3e3fbfe77e65adf100d427
MD5 hash:
693e335503922e9feb89997b729f34dc
SHA1 hash:
b96cc726167b0bddc1f6b82ad3ff3f46462a8442
Link:
https://www.unpac.me/results/f0e92d95-51c7-4ab3-b5af-1129fb854247/
SH256 hash:
e6d55ea1bf26b4658cf7533091e0fcf1f0ab04e2d5b337b060853a1b95669c4f
MD5 hash:
7e1e48c9ec5e580d12c7b591b873e1e7
SHA1 hash:
cf421a1e19a851998c8fb6df1f77835ce73306d9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f0e92d95-51c7-4ab3-b5af-1129fb854247/
Parent samples :
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
6137b4de219fce7538feaecc75252730393b4335fabf3c11024a3d1b0942819c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab e0c517539cc2c25f72716dfbdcc4923209c35995d388c7ea4b56d2518c13a362

Formbook

Executable exe c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0

(this sample)

  
Dropped by
MD5 876391cdcef6ab638e2a51bc00d16753
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e0c517539cc2c25f72716dfbdcc4923209c35995d388c7ea4b56d2518c13a362
Cape
Cape
https://www.capesandbox.com/analysis/111742/

Comments