MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee
SHA3-384 hash: 6bd356dfeb6395b49a5cd8ae992b90ea75cd1ca62ded698ea35b2b9e479c34505e4cd45a1d684c0bf93c8e8c441c1900
SHA1 hash: 8bdd9a873bf73a99bfe9f95d5bcdac2fb885cdfd
MD5 hash: aaeb44037c3bde58012798729f5774a5
humanhash: muppet-skylark-lamp-neptune
File name:Order No. BCM190282.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:674'304 bytes
First seen:2020-12-17 09:08:52 UTC
Last seen:2020-12-17 10:30:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'739 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:5C52ogwnn5x0LjGW1VmR+WivAG+nMcLYRFplCs4tPKGCz1MoL:OLnE++VmLivA1MY4rc/PKGAMo
Threatray 3'192 similar samples on MalwareBazaar
TLSH C8E41218255C9B37C29E9BFD94602144237266B77493F35D4FC964EF2A3ABC08D48B8B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: diamondinter.com
Sending IP: 154.127.53.116
From: Werner Götz <p@diamondinter.com>
Subject: Re: New Order No. BCM190282
Attachment: Order No. BCM190282.r00 (contains "Order No. BCM190282.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.28289.29801.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565174
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331677 Sample: Order No. BCM190282.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 32 www.xn--produtosdesade-wrb.com 2->32 34 xn--produtosdesade-wrb.com 2->34 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AntiVM_3 2->50 52 3 other signatures 2->52 11 Order No. BCM190282.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\Order No. BCM190282.exe.log, ASCII 11->30 dropped 62 Writes to foreign memory regions 11->62 64 Injects a PE file into a foreign processes 11->64 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 2 other signatures 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 36 anastasiamatkovskia.com 162.241.216.113, 49780, 80 UNIFIEDLAYER-AS-1US United States 18->36 38 www.fused180qr.com 45.114.104.120, 49775, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK China 18->38 40 18 other IPs or domains 18->40 54 System process connects to network (likely due to code injection or exploit) 18->54 22 cscript.exe 12 18->22         started        signatures11 process12 dnsIp13 42 www.ivaporvault.com 22->42 44 www.dmosearch.com 22->44 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 09:09:07 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dhnl5zby7hide2zqffaezrpqcyodd4aawgex2uiourhadyxyhxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4
Formbook
2bda7325843b48687e064e2abeeef3f5eae5865fceccbbb0ad5229fcf624bf40
Formbook
574e414e22746d7781bd6ca6f4cc64be417b65696104dda71b037c9584cea01f
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
80647f6b0ee0d8b14ba78bbd6cbfdf6e332692af7eb0f3348fc76facc4ad23ef
Formbook
9166caa8818f4cc62ac7922d901d396e17c0ff0867c48d52bd891b05121abafd
Formbook
a80553f1c2dcc35c48adf765bbb4f695d9d3c47d57ab0e47e4e8118588466731
Formbook
b475b8978e80b7cfc97d95df7e5c7b51efd86ec23d5257ec0c5aa40df7abf30a
Formbook
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
Formbook
e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42
Formbook
+ 3'182 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201217-19v1yj84yx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.koku-jieitai.info/w8en/
Unpacked files
SH256 hash:
d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee
MD5 hash:
aaeb44037c3bde58012798729f5774a5
SHA1 hash:
8bdd9a873bf73a99bfe9f95d5bcdac2fb885cdfd
Link:
https://www.unpac.me/results/726725dc-200d-485e-ae24-d4eee0feb4b4/
SH256 hash:
df3923fc72e1994133f7e4b448860214b84433758d1e2fb623240f33b61b4960
MD5 hash:
366c756de7e4b307d11087e4e9399226
SHA1 hash:
13e31086623aac0a124b2fb7aa7d48eeaae83dcc
Link:
https://www.unpac.me/results/726725dc-200d-485e-ae24-d4eee0feb4b4/
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/726725dc-200d-485e-ae24-d4eee0feb4b4/
SH256 hash:
3ba918fe2b137f0eb38c5e70bbe80523c5878bc69dbac4afd52c0a6403cd9290
MD5 hash:
19ac6dd3731b222b4b6d0b326e48ae96
SHA1 hash:
06c26263f1410f5fd4ab8f6d2f3c574b50cd197a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/726725dc-200d-485e-ae24-d4eee0feb4b4/
Parent samples :
d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee
be246c8f7d9d07567fa9618fdacf5658709a1a71f2d61e0b32e89cf9abd499da
b4ddceb2e5c7f97a31768c1313b0355e1c1996cb61cf57059758516bbe1fbd3c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 246af2dd6787bbd33fb1d15cfb205e7395274fa8240a3dfc456f531845eedb8e

Formbook

Executable exe d0ced5f721c7ce819359814a02662f80b0e18f80058c4bea887522700f17c1ee

(this sample)

  
Dropped by
MD5 31f860af567ac301aceb51cf1e753fc0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 246af2dd6787bbd33fb1d15cfb205e7395274fa8240a3dfc456f531845eedb8e

Comments