MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f
SHA3-384 hash: 57388784ffb68f3da5c7537ef219fd7f023686ec41ca4a60461539a0e48a05ca592a77a32c5570cc6ef00731177efbe5
SHA1 hash: c2cccdcf5beeadb960317e6c95edbce1f587c18b
MD5 hash: 2c7005f066347149521b9d999d459f74
humanhash: skylark-nebraska-stream-india
File name:SHIPPING DOCUMENTS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:234'272 bytes
First seen:2021-04-16 05:38:03 UTC
Last seen:2021-04-16 06:50:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 6144:FPXa02XJ2IlK10xAIXEOnWARun+ckuTo32jhr:c0CJieC3+2To32jhr
Threatray 4'698 similar samples on MalwareBazaar
TLSH 78341271736090BBC9621BB14DB652BA9DD5E6044282268FF3104FA7FA361E72F1F213
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHIPPING DOCUMENTS.exe
Verdict:
Malicious activity
Analysis date:
2021-04-16 05:39:40 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/066812d9-6f3f-4fd9-ac85-90918ad35500

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/135820/
Detection(s):
SecuriteInfo.com.Gen.Variant.Zusy.376846.29962.8131.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Sending a UDP request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/679645
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Detected unpacking (changes PE section rights)
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 388776 Sample: SHIPPING DOCUMENTS.exe Startdate: 16/04/2021 Architecture: WINDOWS Score: 100 31 www.another-sc.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 12 other signatures 2->45 11 SHIPPING DOCUMENTS.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\3d7wkb.dll, PE32 11->29 dropped 55 Maps a DLL or memory area into another process 11->55 15 SHIPPING DOCUMENTS.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 6 15->18 injected process9 dnsIp10 33 riceandginger.com 162.241.24.122, 49725, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 bellee-select.com 49.212.207.204, 49729, 80 SAKURA-CSAKURAInternetIncJP Japan 18->35 37 4 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 systray.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-04-16 01:46:02 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 47 (38.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zu5rgnxzurw3zad7vbia777z43abvihbvbobhrb6z662ii2kbhq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1e5241525e65fdfc2540e30a5e54b0147240a9d0f5da4063ef94509379a19feb
Formbook
5aa64b3eef03b9c837e37102be20cb4f537c524b2a2531bf1bf6dd6a02461d7e
Formbook
5d4c17f9ea28e3df3efa9d9c7ba40444abeee049fe999eb2d579c6cf4ccc3231
Formbook
5fef6e5e702f6ac33542c50d34d3054d1b957c3afd5dffc8fbeaa81d82fdf562
Formbook
8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
Formbook
851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376
Formbook
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
Formbook
c69e54b704c7d7e94faa9c3ea2519eef344e1099aa99271833bc56cae00ab8af
Formbook
dd44eb26a328f1e86823339666e1b1237ad7b1d880694c1b8fb8164b931aa512
Formbook
e5561555b0be45246e4ce5418a203d5a0d800595de770d772d0d86d0ed2662bb
Formbook
+ 4'688 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210416-fd5mcewlr6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.riceandginger.com/fcn/
Unpacked files
SH256 hash:
f822c42644dd6b8b18f5799e7d40a5f4de0460e47d26b124d9e9d71c0d105b3c
MD5 hash:
cd7f3d0304818c60ed36b0c9ed1f9563
SHA1 hash:
eb71702e45a55b53f8f56f36a68a2c1556320b89
Link:
https://www.unpac.me/results/4b7d7bd0-2905-4724-888a-7939dc5c8646/
SH256 hash:
d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f
MD5 hash:
2c7005f066347149521b9d999d459f74
SHA1 hash:
c2cccdcf5beeadb960317e6c95edbce1f587c18b
Link:
https://www.unpac.me/results/4b7d7bd0-2905-4724-888a-7939dc5c8646/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z b662cc7def1e09ebf61f65fab189e93a0f8af51729c1182ca944b3fb949b2e8f

Formbook

Executable exe d669d899b7cd236de403fd42807fffcf3600d5070d42e09e21f67ded211a504f

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 b662cc7def1e09ebf61f65fab189e93a0f8af51729c1182ca944b3fb949b2e8f
Cape
Cape
https://www.capesandbox.com/analysis/135820/

Comments