MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08
SHA3-384 hash: 001de2f1ed21635bb4971c8f4de5802631dbb94be6df7950d9b1337554a3fa99a242de600afdb5c3e9921b031dae26f8
SHA1 hash: b5546ba68d35fd4bd26e6e18b64861117869afc7
MD5 hash: 8ae1c292709e6812341fc90a9a7134ad
humanhash: magazine-leopard-cold-ceiling
File name:Lista degli ordini.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:740'864 bytes
First seen:2021-06-24 09:04:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c3f32a5a9887698ede69b21a2d37fd6f (2 x Formbook, 1 x AveMariaRAT)
ssdeep 12288:XTnjcRRQA6nHTLYhi3pw45sVETpVnb7x37Yq:XTj66nHTb9QETppb7x30
Threatray 5'968 similar samples on MalwareBazaar
TLSH C8F48CD8665010B3D8237B7D8A4F65E9A85D7DE0BA10A8C9F7B4BE4E8E763C13847047
Reporter JAMESWT_WT
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0f611d23-0f4f-4d52-cdc6-08d9367852926660370e-d377-4538-27dd-4e5966ce2744.eml
Verdict:
Malicious activity
Analysis date:
2021-06-24 08:27:24 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/76698f7c-12c3-4499-bd0a-c799e668f853

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167940/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware2.20115.15097.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/748571a6-647f-47c1-bd1d-a5625d9fdd2f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807316
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439726 Sample: Lista degli ordini.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 24 www.influenzerr.com 2->24 26 influenzerr.com 2->26 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 9 Lista degli ordini.exe 16 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 28 cdn.discordapp.com 162.159.135.233, 443, 49693, 49694 CLOUDFLARENETUS United States 9->28 42 Writes to foreign memory regions 9->42 44 Allocates memory in foreign processes 9->44 46 Creates a thread in another existing process (thread injection) 9->46 48 Injects a PE file into a foreign processes 9->48 15 secinit.exe 9->15         started        30 www.theapiarystudios.com 13->30 32 ext-cust.squarespace.com 198.185.159.144, 49695, 80 SQUARESPACEUS United States 13->32 50 System process connects to network (likely due to code injection or exploit) 13->50 18 raserver.exe 13->18         started        signatures6 process7 signatures8 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Maps a DLL or memory area into another process 15->54 56 Sample uses process hollowing technique 15->56 58 Queues an APC in another process (thread injection) 15->58 60 Tries to detect virtualization through RDTSC time measurements 18->60 20 cmd.exe 1 18->20         started        process9 process10 22 conhost.exe 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 12:24:13 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zkxeqbbzfe6hxzv3tsrhmipvxgohheoww765yf45l5lcprqujuea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19fea0b558bc85df1bec0bd5a086fd2678767117999762731b0f6fe15e1c590a
Formbook
53cd0bb46c1d8aa4dc128569b2c2b2b13f0d4a1357e464e5eec019a7f11195d6
Formbook
57605921f72fd210ec256ed3010b59d111c6d3b9e49b9e830e06d6bddce83db4
Formbook
9b9218d3692f38654cde45d5a9b01a6d5cb83aa5442c286fc4e073a6348e08d1
Formbook
c2b8d66b59eabf04dadf3af98e03e6f3aad3f289e826852fabda188863eb679b
Formbook
c59f3d09668674cc602a759071c5972b8f78b2b829afd3fb8d5e6f9ecd820280
Formbook
cad578cb66b96125accf74e291decfbfa2026857ec0efcae51a25ba4cc185ddc
Formbook
d885a2034e825199486fbe2eecbf1098e07c8ba36ffe3cca2518e3f332c48f28
Formbook
e242d70710f47daf819f4dec74264d265efd80a1aa12eec27c0ac20715670923
Formbook
f8c3b9a8f01e022158ef5f9bc6d69287b6b03ce5527f7ac911de25dcdc016569
Formbook
+ 5'958 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210624-gp1c67p5ra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Unpacked files
SH256 hash:
a962b300b10f701e3a3c8b4691a11161dd919a542e3ee79b890bfef413c15aa8
MD5 hash:
78c33a69fd2a9e77abcd07eed8b13cf7
SHA1 hash:
dc698bff43357d0e1b5e9c8ccfdf28e2a190aa02
Link:
https://www.unpac.me/results/7c236002-5790-4fb3-a44b-0f77676cd623/
SH256 hash:
caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08
MD5 hash:
8ae1c292709e6812341fc90a9a7134ad
SHA1 hash:
b5546ba68d35fd4bd26e6e18b64861117869afc7
Link:
https://www.unpac.me/results/7c236002-5790-4fb3-a44b-0f77676cd623/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caae480439293c7be6bb9ca27621f5b99c7391d6b7fddc179d5f5627c6144d08

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167940/

Comments