MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753
SHA3-384 hash: 1b3fa1c6424babdc65869ed1c7a74b6e30ea1368b1a7464972aad64ecfe1db3267bda2801484f55d42953c45ffce64d3
SHA1 hash: f82a362e2b732f8d7ce36b5ec23ccb4d52eac15d
MD5 hash: c95fe63506ee881dc52a785afa1afd59
humanhash: kitten-bluebird-magnesium-cola
File name:Orden specifications_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:259'697 bytes
First seen:2021-09-24 13:35:56 UTC
Last seen:2021-09-24 15:13:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBs4bTUsAwF1u8G4TOzVY6FlOWgKY36gKHeYIJ3GyAvSjugn+H:/4bvg8G4TOz5mWgKY3M7U9uW+H
Threatray 9'603 similar samples on MalwareBazaar
TLSH T1D944122661C2CEA3E0A2C23249B2A77CFBFB511061011F8B4B784F7B555059F9A693B7
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden specifications_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-24 13:36:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24077d31-e81e-4a49-bf74-733b70dafd98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191186/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.20947.4677.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4c2fc9f-b35d-43bc-b19a-c5d5b8832fb2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857388
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489819 Sample: Orden specifications_pdf.exe Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 10 Orden specifications_pdf.exe 17 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\wkpy.dll, PE32 10->28 dropped 54 Injects a PE file into a foreign processes 10->54 14 Orden specifications_pdf.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.dentimagenquito.net 208.91.197.13, 49805, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 17->30 32 shops.myshopify.com 23.227.38.74, 49806, 80 CLOUDFLARENETUS Canada 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 12:51:37 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmiubxlxke4culkwywlvlix7hczdtacrjcxs2eem6tytthfa65jq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ac830fd4c5c4c3522b5cb9983edc13f2580b932875bc9daeb02633b8829fb3b
Formbook
49d82a6b19fe35893b419696bace48db225826ccfa73da61ca22f59f7f045406
Formbook
4c5887639c1dfcc0349690d98e9c8034029a6fa2f2e6bdbba96371bf23ce3301
Formbook
6c0e85b84f2b1dfdb580a168386ad91efe7f734066ff3a12a0d359fcb4711dca
Formbook
7024147e75938acd54b804df172c63b57c794e1980632c5f8190ae1e9d0da82a
Formbook
99b495e7c6df7f7bf887cd2d7f143e4103dfaf57990a0712bac7d33a2c6d6f0c
Formbook
a99b696e8ac16303843b26c95c982d5be9b9fd657d843937cc586c9a8dc29b83
Formbook
af0af3ebf3ac231ad77dbe4cbfa0fb2d48312d4ca0b5431081046ab09aa3b552
Formbook
d2d6a8c31acdd92eb9a005e2fac8838a382ab0425fc01bc88616bda185ab7b4c
Formbook
d39ec2fb7fa07bb6886173571262d2324d96b6e879ccc4f2cea46ece183e576a
Formbook
+ 9'593 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:dn7r rat spyware stealer trojan
Link:
https://tria.ge/reports/210924-qv95eahbc7/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yourherogarden.net/dn7r/
Unpacked files
SH256 hash:
3fee841d37b1d765888c03ff08c2c6f68ce3a6192106d7f71bd33324501a42ba
MD5 hash:
8f789a523145181f5d8db581d2335a6c
SHA1 hash:
8ccdb3de7cd8cca62f479a70669bfd1355a33cc5
Link:
https://www.unpac.me/results/4115b9d4-953f-4e3a-bf30-4cee25a80ea5/
SH256 hash:
cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753
MD5 hash:
c95fe63506ee881dc52a785afa1afd59
SHA1 hash:
f82a362e2b732f8d7ce36b5ec23ccb4d52eac15d
Link:
https://www.unpac.me/results/4115b9d4-953f-4e3a-bf30-4cee25a80ea5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cb1140dd7751382a2d56c59755a2ff38b239805148af2d108cf4f1399ca0f753

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/191186/

Comments