MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9
SHA3-384 hash: 66306aaee1a3fee498973cb64c2a88a58446b7698617445a48483ce31360adcb5eac3fafd922e91c200d3b47966329df
SHA1 hash: 868807c4265bdfb8160cc9c7b062b8208a5ef93d
MD5 hash: e47c0ab9cf929abce76d77ae7d634095
humanhash: iowa-east-island-network
File name:Mv Maersk Kleven V949E_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:867'328 bytes
First seen:2021-01-14 06:58:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:VWlQtxYfPB1taM4BLb/rSwSRAc3C54BvFytPK/ll0Lu9XFl80n26EsZjiqAmTD:VoQLcPzQM44BRNmYFyYJ9X/80IsZ
Threatray 3'346 similar samples on MalwareBazaar
TLSH 5905E6479804978FE03586B9BE531F6C6F1A3E1DA5C666EF40230D8B7A383724D4E46E
Reporter abuse_ch
Tags:exe FormBook Maersk


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vm4983.aproweb.it
Sending IP: 217.64.205.19
From: A.P. Moller - Maersk <info@hoteldaltavilla.it>
Subject: RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //
Attachment: Mv Maersk Kleven V949E_pdf.gz (contains "Mv Maersk Kleven V949E_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Mv Maersk Kleven V949E_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 07:35:15 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/b3fb9730-022c-4938-af60-3a32a176ff35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111950/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/581167
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339619 Sample: Mv Maersk Kleven V949E_pdf.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 Mv Maersk Kleven V949E_pdf.exe 3 2->10         started        process3 file4 28 C:\...\Mv Maersk Kleven V949E_pdf.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 Mv Maersk Kleven V949E_pdf.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.delunmolding.com 154.209.54.26, 49755, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->30 32 www.alverazricardez.com 45.147.213.4, 49753, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Netherlands 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 raserver.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-14 04:13:01 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zfggksg5oi5fw2vmgrpyvltf2tmmn2dmh2dbsxbsmfvllx5izouq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0bfa5712201676e9439c4624fd99b8ec2bba95ccd53fb67f0a289b0a8347fc7c
Formbook
1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795
Formbook
18030a9ea4cf60ea858db8b302cdd94962069f232be6212787ad1ddca0bbbe54
Formbook
383d80ef71e1bd484b6838e3c89eebca3bea49ef0648d3a79564c87aa6ddc00f
Formbook
470d8938f9eedf84f9f75a9862f09d98bd0c9d265ede33a2f0983a5c26d17a7f
Formbook
5b59e08e82994cd78df8856c5d7cfd4b30be947a9f7329af1a13d47652b189fc
Formbook
6308def230fca10ddd70426bb31764afd2564530a7ff775cf28e5e958c5bd37a
Formbook
88ae2d739cf1bb2cb87e55498b46f53cc6c641ede1cf5619af8d0a128a1a2a39
Formbook
c3a69db8642855e1dfcbcb213f7f050c5fb2d86744183b13483411f97009c2a0
Formbook
de4679b52c5e51db87ae9671ec2b25364dd62641377bfbfd6d5cf67e7741598c
Formbook
+ 3'336 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210114-hqmkxblkhj/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.embracingmyjourney.net/p7t/
Unpacked files
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/95335169-a20e-42e0-9a8f-7e765b81eb5a/
SH256 hash:
cc3f372a43313a3983915a5f6c709d73c6acdae2940418fca3451263e839537c
MD5 hash:
f34fc58efda4a77b1d086f0fbbee4718
SHA1 hash:
b9a90b14e30be47d0271846253ac093e92326033
Link:
https://www.unpac.me/results/95335169-a20e-42e0-9a8f-7e765b81eb5a/
SH256 hash:
2681e8e4ea11b8ad2e5647611ffb26571c8d70fe74a72906bf74689045054b76
MD5 hash:
a8b3eedb0a0ada743f56e178f6647a88
SHA1 hash:
02f5fb5e128dca0d4483135659888ce392039db3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/95335169-a20e-42e0-9a8f-7e765b81eb5a/
Parent samples :
c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9
56db76250b06a9b52b44a9cc88161cd8fb070c4b72aae4f2186362875edac275
a078d966a3ac5a7ac639b01ba4d3230c7554d7d75e9e7f59dc35b623aec8dbda
b37ed83e211a60e98f12b924df6a9eecebb4b6f5c60cc58aa1468bddc611480f
5adeb6184ee1dffad88ac180f1e7dcbd6f451fc8dcd5e868906fca11d98476ef
3013607bfee8bcca1767c2a33cea94602e3c97baba31f96fc8a08014cf2576b4
3ce15be8f0a31d5fa5a176c3abb3729fd834a6af3e8a69b35cc6f2dd54c66fdb
280e68610d554a53b9986a3c71780b7de25914486c37d32b4479e50168645073
SH256 hash:
c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9
MD5 hash:
e47c0ab9cf929abce76d77ae7d634095
SHA1 hash:
868807c4265bdfb8160cc9c7b062b8208a5ef93d
Link:
https://www.unpac.me/results/95335169-a20e-42e0-9a8f-7e765b81eb5a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 8f5ea6573b223f074be48820eac2989ca07316be6ca7353ef7efe43a39f592c5

Formbook

Executable exe c94c6548dd723a5b6aac345f8aae65d4d8c6e86c3e86195c32616ab5dfa8cba9

(this sample)

  
Dropped by
MD5 aa3c633f5ec33175bddca80e63191bd1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8f5ea6573b223f074be48820eac2989ca07316be6ca7353ef7efe43a39f592c5
Cape
Cape
https://www.capesandbox.com/analysis/111950/

Comments