MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
SHA3-384 hash: 0087173ee7b9cc4be1cfc816ba1bb1c5fc2a2f514d2c501ffc1c917339e7128691f485c1434d72deb25152067126db00
SHA1 hash: d4c0478d1c4967b0315d74cfc4e093f16f42cfa7
MD5 hash: 5224c99e55f7c5d948b4630d55bb0b4f
humanhash: cola-floor-east-freddie
File name:New Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:623'760 bytes
First seen:2020-10-12 06:14:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:2spzJL2hVc6phHKESYXmDnzp7SZG+vlnng+Vp8EG/m:2spzJL4Vc6phHKESYXmDnN7Sdlg+VS1O
Threatray 2'404 similar samples on MalwareBazaar
TLSH ACD49E4073D2FDC6D3B9437E05D3C88516F0AE729162E21ECDC866EEDA825062F59BC6
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: craig-group.com
Sending IP: 23.106.160.116
From: Cheryl Fernandes <cheryl.fernandes@craig-group.com>
Subject: RE: RFQ MR 2091000128 CMR-GROUP/DORD 1658/PO000001879
Attachment: New Order.rar (contains "New Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69949/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488012
Signature
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296455 Sample: New Order.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 50 6 other signatures 2->50 10 New Order.exe 2->10         started        process3 signatures4 54 Hides threads from debuggers 10->54 56 Injects a PE file into a foreign processes 10->56 13 New Order.exe 10->13         started        16 WerFault.exe 23 9 10->16         started        19 timeout.exe 1 10->19         started        process5 file6 64 Modifies the context of a thread in another process (thread injection) 13->64 66 Maps a DLL or memory area into another process 13->66 68 Sample uses process hollowing technique 13->68 70 Queues an APC in another process (thread injection) 13->70 21 explorer.exe 13->21 injected 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->36 dropped 25 conhost.exe 19->25         started        signatures7 process8 dnsIp9 38 www.zqtc365.com 193.31.115.133, 49736, 80 QUICKPACKETUS United Kingdom 21->38 40 www.hairbodyandballs.com 103.67.235.120, 49748, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Philippines 21->40 42 www.parcelero.com 13.56.33.8, 49739, 80 AMAZON-02US United States 21->42 52 System process connects to network (likely due to code injection or exploit) 21->52 27 msiexec.exe 21->27         started        30 autofmt.exe 21->30         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 32 cmd.exe 1 27->32         started        process13 process14 34 conhost.exe 32->34         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 04:45:18 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyi4irdoiycfghuobfsqqqrp2anshutmijhzmjoqjht63l2pkzva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
Formbook
4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922
Formbook
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
Formbook
a998850fc7940055baac6f61dde2d0e29836c9386ac87555549eeaa1a9998401
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
Formbook
da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
Formbook
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
Formbook
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 2'394 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-ecbqtqdgra/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.defigravity.finance/prs/
Unpacked files
SH256 hash:
36cb3e0ab7216baa3e0c9f39b2cb7412a63d2cd2d61e6e8a09d134231c80ffba
MD5 hash:
77729917fd4b71aa30052f43cbb15124
SHA1 hash:
dde0cd5eab9cac328158ed8a392cb524e125eb2b
Link:
https://www.unpac.me/results/e0399966-742f-4a5b-b7c3-050baab8e9c2/
SH256 hash:
3a16161ce0097bbea9e7b424f66564571c376a5c72914dbf0824985e5fe59301
MD5 hash:
a837c0cc2d34eb739826870b6c2b1c4f
SHA1 hash:
583614cca9bf23a5c754a1ece801145dcea72fb6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e0399966-742f-4a5b-b7c3-050baab8e9c2/
SH256 hash:
c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
MD5 hash:
5224c99e55f7c5d948b4630d55bb0b4f
SHA1 hash:
d4c0478d1c4967b0315d74cfc4e093f16f42cfa7
Link:
https://www.unpac.me/results/e0399966-742f-4a5b-b7c3-050baab8e9c2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 20a793c715fe965d0f83aa1abb0fd20de6d913d5878cd3ba9cfe26270937b7ab

Formbook

Executable exe c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a

(this sample)

  
Dropped by
MD5 621e9e602ea030cd070831d15d061b93
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69949/
  
Dropped by
SHA256 20a793c715fe965d0f83aa1abb0fd20de6d913d5878cd3ba9cfe26270937b7ab

Comments