MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
SHA3-384 hash: 60e81cef63cf99e5fd4031111ae929eb1a3d6c9a18001cbe673fc7094d13523d0e876b5d9f4c4f4f7056abe4708e7ddb
SHA1 hash: 73e62e87924881f00b0fb8aac633ff5293c21afe
MD5 hash: 8a8cde887d4db5fd1174235f9009149b
humanhash: dakota-music-vermont-helium
File name:RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:359'424 bytes
First seen:2020-12-17 08:51:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 412434c6590220a26bbf72c7c07a425b (7 x AgentTesla, 4 x Formbook, 1 x NanoCore)
ssdeep 6144:MDLtwwjMe+rXtiHdvJW/ffEIYkL1jhhejxWvtKAi:S5hjwXA9BW/bLhKAi
Threatray 3'318 similar samples on MalwareBazaar
TLSH EF74CE39C2D8E1C5E9B8B1B8DF90DAFE43209C5DBE18556318ECBD5B76BC52B5008263
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail.fpcci.org.pk
Sending IP: 124.29.202.181
From: 3D MIDDLE EAST LLC <m.ashwad@3d-me.com>
Subject: RFQ 00068643 New Order Shipment to Jebel Ali Port UAE
Attachment: RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.zip (contains "RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 09:09:23 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/4285a3a4-3562-4c89-a9f2-5020c87bbf11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.55703.17582.7478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565223
Signature
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331694 Sample: RFQ 00068643 New Order Ship... Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 50 3 other signatures 2->50 10 RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe 4 2->10         started        process3 file4 34 C:\...\94f9974e81d74e6387edc9da01d1d164.xml, XML 10->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 10->36 dropped 54 Maps a DLL or memory area into another process 10->54 14 RFQ 00068643 New Order Shipment to Jebel Ali Port UAE.exe 10->14         started        17 cmd.exe 1 10->17         started        19 conhost.exe 10->19         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 21 explorer.exe 14->21 injected 25 schtasks.exe 1 17->25         started        process8 dnsIp9 38 www.gzlydt.com 156.238.196.243, 49765, 49778, 80 XHOSTSERVERUS Seychelles 21->38 40 www.bloglifeme.com 103.141.96.36, 49776, 80 VECTANTARTERIANetworksCorporationJP Japan 21->40 42 23 other IPs or domains 21->42 52 System process connects to network (likely due to code injection or exploit) 21->52 27 explorer.exe 21->27         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 27->56 58 Maps a DLL or memory area into another process 27->58 60 Tries to detect virtualization through RDTSC time measurements 27->60 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 08:22:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zx6bmahx6vsw7mvxf7iq3jclr57bf5geaat2im4ckhs5p2pq45bq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e7e018ee5838bf8450f343923ba4ce6c1282ed1b727fc4ab5cbe69b6204fca2
Formbook
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
Formbook
9a176cf24fa09ec01bb6e51507849fa8aad355bb25eba73ce43f63579997633a
Formbook
b28f4495e2cda5a5fef0408701a136d820c7cf2e7a45dd101e70b31458e31530
Formbook
b2f4176efc7fb22a1958f63af6f3029b8d4fdbecb98625828822d471a6a137b4
Formbook
bc1a39fab39f372baddb7b2b12553e4c687a099d605892704daefdae5ed4995f
Formbook
debe2f7e0f2e18dff0c54f3809c66256f5741b5cf9e13e065593c005db9c22de
Formbook
e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42
Formbook
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
Formbook
f64ecad45aae27f037e819a6adfaeebbdf0f769690a46a89a29d4f0da22b6cd4
Formbook
+ 3'308 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201217-tm64bz7cxx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.4mzn-l1mit.com/x2ee/
Unpacked files
SH256 hash:
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
MD5 hash:
8a8cde887d4db5fd1174235f9009149b
SHA1 hash:
73e62e87924881f00b0fb8aac633ff5293c21afe
Link:
https://www.unpac.me/results/92603826-7fdd-4c64-9cd3-d27cf3868702/
SH256 hash:
b3158e821b71b4737904df9b39f8362835f41f3e755633b02e19236830aab845
MD5 hash:
aab914db61fcd4fd05f755ad981c0adf
SHA1 hash:
3fffaf97daea5010b8779b6b8bb08c5472e3c34e
Link:
https://www.unpac.me/results/92603826-7fdd-4c64-9cd3-d27cf3868702/
SH256 hash:
0be8b6cc78ece6a433090369e144a1f79e460c8c7f7d193fdedc402a805a3b6a
MD5 hash:
c52ef08f75482ebef0381001daff1fd6
SHA1 hash:
92f3fd245a5ffcf70f4bf7023a7fb35e25074cb3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/92603826-7fdd-4c64-9cd3-d27cf3868702/
Parent samples :
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 9c741c1b6304e6e14f7e94cca0ed709a2f8f7cf52ae4c785172266535f00f6fd

Formbook

Executable exe cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743

(this sample)

  
Dropped by
MD5 fa2810a0c301b0c1725a3ede98402639
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9c741c1b6304e6e14f7e94cca0ed709a2f8f7cf52ae4c785172266535f00f6fd

Comments