MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c889674476922af3c1a1d98a9f03897710d3304dcaeae7ab8b7bc98de854f6ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c889674476922af3c1a1d98a9f03897710d3304dcaeae7ab8b7bc98de854f6ad
SHA3-384 hash: fc7ae5c14035d28fac4026f4172cc0bfcd15b60b39c14324154704377015ee457801b97398f4c4bedc7dd0ea80e13350
SHA1 hash: 2f5f8effb4b32ffad2d213130871c0662a096e79
MD5 hash: f26fbd8620d04f74e45edccd60b287ef
humanhash: hotel-fruit-spring-georgia
File name:APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:744'960 bytes
First seen:2021-04-26 10:07:49 UTC
Last seen:2021-04-26 10:52:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:mq5ymsJ4BzPmQN7yc7XCejLw15WpD2wo7ZzpbxW7vKdZRPiMFhgYPx6:mq5ymsJ4Nm+9XCC6wohj6vK7R6MFhFP
Threatray 4'916 similar samples on MalwareBazaar
TLSH 0FF4F021A39ADB61D53DA7B891740444C3F6FD17E322E69D7EC9B0E90A72F814B12B13
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 10:11:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e1ced5dd-6745-4f7a-9068-e749bb3f1213

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144294/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.680.5217.784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697726
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 397783 Sample: APR SOA---- Worldwide Partn... Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 39 www.weekendcost.com 2->39 41 www.mylifequotenow.com 2->41 43 2 other IPs or domains 2->43 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 13 other signatures 2->57 10 APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exe 7 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\QDGLRTwlKIgI.exe, PE32 10->31 dropped 33 C:\Users\...\QDGLRTwlKIgI.exe:Zone.Identifier, ASCII 10->33 dropped 35 C:\Users\user\AppData\Local\...\tmpFF99.tmp, XML 10->35 dropped 37 APR SOA---- Worldw... SC+SHA.PDF.exe.log, ASCII 10->37 dropped 67 Writes to foreign memory regions 10->67 69 Allocates memory in foreign processes 10->69 71 Sample uses process hollowing technique 10->71 73 Injects a PE file into a foreign processes 10->73 14 vbc.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 14->75 77 Maps a DLL or memory area into another process 14->77 79 Sample uses process hollowing technique 14->79 81 2 other signatures 14->81 19 cmmon32.exe 14->19         started        22 explorer.exe 14->22 injected 25 conhost.exe 17->25         started        process9 dnsIp10 59 Modifies the context of a thread in another process (thread injection) 19->59 61 Maps a DLL or memory area into another process 19->61 63 Tries to detect virtualization through RDTSC time measurements 19->63 27 cmd.exe 1 19->27         started        45 lacommusic.net 185.203.72.111, 49743, 80 VARITI-INT-ASCH Switzerland 22->45 47 www.novaquitaine-solidaire.com 213.186.33.5, 49736, 80 OVHFR France 22->47 49 13 other IPs or domains 22->49 65 System process connects to network (likely due to code injection or exploit) 22->65 signatures11 process12 process13 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c889674476922af3c1a1d98a9f03897710d3304dcaeae7ab8b7bc98de854f6ad/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-25 21:21:10 UTC
AV detection:
24 of 47 (51.06%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcewordwsivphqnb3gfj6a4jo4ingmcnzlvopk4lppey32cu62wq._file
Verdict:
malicious
Similar samples:
0e23e210b0a781a42bf7f5fcf1cc95b888c1230c819fe7134f04048a36706124
Formbook
37a8922f49037f65771bc1e4ab9d7fbb4b1c27ce2bc79fe618705f4d90ad7615
Formbook
432dc27473a2ca5168e30969aab3359bb01f5936babc35811f336bcc3f195914
Formbook
4bed9bf05fbe39e5c647087ae6384aba6aeef1f7cb730df31d87a40abd4bc7fe
Formbook
5397f0168be76c7e5efee936d341eb359b9015af5e77631129dc0664105e9259
Formbook
73542f2e6652897764dfeeffa70ebc1ccebeb5681bc7a049ec875771c995aa4a
Formbook
ad855c55e13ef5274a20805a3836b508c29cae12d0a2de2807aed08ed4090ddd
Formbook
cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Formbook
d8de6668573d3ceb90b6794ad11ce332f7d7ece1d4cc1c40b2279ebcdc71b5dd
Formbook
d9f577793aa65b5e41af83ce7a258fd4dee58fc974f5af5952efc137cabbd5a2
Formbook
+ 4'906 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader evasion loader rat
Link:
https://tria.ge/reports/210426-d7em4detq6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Uses the VBS compiler for execution
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Xloader Payload
Xloader
Malware Config
C2 Extraction:
http://www.evrbrite.com/o86d/
Unpacked files
SH256 hash:
e90a19eba5f2de3ba82f652221105bb0682b07c20abddec487c6f4354ea79c39
MD5 hash:
efb0de4397ea61e17d262e278b53ff86
SHA1 hash:
727fdf2ceb13262d56bdda24a02564fb3e80c8b0
Link:
https://www.unpac.me/results/b50b5ffd-3db5-4261-8b84-65fbc09f65dc/
SH256 hash:
c889674476922af3c1a1d98a9f03897710d3304dcaeae7ab8b7bc98de854f6ad
MD5 hash:
f26fbd8620d04f74e45edccd60b287ef
SHA1 hash:
2f5f8effb4b32ffad2d213130871c0662a096e79
Link:
https://www.unpac.me/results/b50b5ffd-3db5-4261-8b84-65fbc09f65dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c889674476922af3c1a1d98a9f03897710d3304dcaeae7ab8b7bc98de854f6ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip b723a3b240870d1ce398609b2691e98d4c312a46b2d5098d60ba454b48031d53

Formbook

Executable exe c889674476922af3c1a1d98a9f03897710d3304dcaeae7ab8b7bc98de854f6ad

(this sample)

  
Dropped by
MD5 467305980a8f52fe0f58275ee04bd579
  
Dropped by
SHA256 b723a3b240870d1ce398609b2691e98d4c312a46b2d5098d60ba454b48031d53
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/144294/

Comments