MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
SHA3-384 hash: 720e6725f71913347b6835dc9817fbfc0b5c384a66d231cdf2f97e7f2a232c85c45c381c18e92d3fdce78871d4b2920a
SHA1 hash: deb5544c037a7757462afab46ae2ca14a8f7f945
MD5 hash: c7c27e1859f1593aedb1eebf0a15175e
humanhash: yankee-lamp-crazy-pizza
File name:Require your Sales Ledger from 01-April-2020.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:736'256 bytes
First seen:2021-04-12 12:23:34 UTC
Last seen:2021-04-12 13:09:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JLwe/ZRRUxLGX9eW++HhtUnNJ2WD9cgMuwS2T8Xo2i10OlYKit:q0HRYLov+Yh+NzxFWgXh5K
Threatray 176 similar samples on MalwareBazaar
TLSH C5F4BF56B960A3A8D7D84872EA1BE3720E255C9F590211632BF8BE373FFD427C915630
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hosted-by.rootlayer.net
Sending IP: 185.222.57.152
From: Suresh<suresh.washivale@channelpackaging.in>
Subject: Require your Sales Ledger from 01-April-2020 to 31-March-2021 - Closing Balance.
Attachment: Require your Sales Ledger from 01-April-2020.rar (contains "Require your Sales Ledger from 01-April-2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Require your Sales Ledger from 01-April-2020.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-12 12:30:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/132dae26-efa4-4f14-9341-b99f8ada5f45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133753/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.9247.4960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/673012
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385451 Sample: Require your Sales Ledger f... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 57 www.soretyje.com 2->57 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 13 other signatures 2->67 10 Require your Sales Ledger from 01-April-2020.exe 6 2->10         started        signatures3 process4 file5 49 Require your Sales...m 01-April-2020.exe, PE32 10->49 dropped 51 Require your Sales...exe:Zone.Identifier, ASCII 10->51 dropped 53 Require your Sales...-April-2020.exe.log, ASCII 10->53 dropped 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->55 dropped 81 Adds a directory exclusion to Windows Defender 10->81 14 Require your Sales Ledger from 01-April-2020.exe 10->14         started        17 AdvancedRun.exe 1 10->17         started        19 powershell.exe 26 10->19         started        21 AdvancedRun.exe 1 10->21         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 23 explorer.exe 14->23 injected 27 AdvancedRun.exe 17->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 AdvancedRun.exe 21->33         started        process9 dnsIp10 59 www.seniorlivingcaelderly.com 185.53.179.90, 49737, 49738, 49739 TEAMINTERNET-ASDE Germany 23->59 77 System process connects to network (likely due to code injection or exploit) 23->77 35 cmmon32.exe 23->35         started        signatures11 process12 file13 43 C:\Users\user\AppData\...\28Llogrv.ini, data 35->43 dropped 45 C:\Users\user\AppData\...\28Llogri.ini, data 35->45 dropped 69 Detected FormBook malware 35->69 71 Tries to steal Mail credentials (via file access) 35->71 73 Tries to harvest and steal browser information (history, passwords, etc) 35->73 75 3 other signatures 35->75 39 cmd.exe 35->39         started        signatures14 process15 file16 47 C:\Users\user\AppData\Local\Temp\DB1, SQLite 39->47 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 39->79 signatures17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 12:24:10 UTC
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27trmrwjijygp2aq4gzhrpvwvupqpzvqyuad3g7cmeixrzhvi4ga._file
Verdict:
malicious
Similar samples:
0aaa10495fff6567ec8ecb5fa1ea118ad1b1230c77db540c0dd7cb6f1d26f6fb
Formbook
17c1d72767fb09f83c78e95a4e3f0bc7ed2db219774cc1e55b0391e2604a8362
Formbook
2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
Formbook
2ecba20721fa9432e4e407b62f815f12b6fee820b5b348547175c36a274c7f16
Formbook
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
Formbook
7cece5ca77b93ef7c41219923e3c080c99bffcca2141cde0acc72dc17daa6211
Formbook
84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3
Formbook
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
Formbook
da2d92f0b457ef9553ed1043f410926daa39f4a8605e1725fd547428c59ce023
Formbook
e889d6dd8614cb0a6ff70e130c651068e04dce0f1694f7a16251e304d35d27d2
Formbook
+ 166 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210412-ll2dxc2mtj/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Nirsoft
Formbook
Malware Config
C2 Extraction:
http://www.consultoramulticars.com/suod/
Unpacked files
SH256 hash:
afe84d5c8dc2b7f41be5a4bf0608ac911153aed604a090ee695998e2ecb1675e
MD5 hash:
68b6344cad37c021525608433ea09fa6
SHA1 hash:
32415ab9e9b559df6092069c729f7da446d4f264
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8c9e3f17-5701-4b24-ac37-cf361c54b732/
Parent samples :
228d3b8dea2bd47cf98d69b89b5acdfa3a1425e201217882edc93de72fe0e37e
d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
SH256 hash:
065d5e704fbdb66ed41b7bd8b60fee664c1e3dd7441195bad2e2e707082b483d
MD5 hash:
63deed3b3ae0fde647bda2ef2f1a5fb3
SHA1 hash:
e5282237bbd468ecdea8d3894900063a35aedec0
Link:
https://www.unpac.me/results/8c9e3f17-5701-4b24-ac37-cf361c54b732/
SH256 hash:
a9683c3db7843d65a50a045ba1ce7375b379521c8e5c9787c27d6505d1385ead
MD5 hash:
5429587fd4cfeb5b3a48201912d8fbfa
SHA1 hash:
9112103527efc80e80d322a6747e1c05bb8631f9
Link:
https://www.unpac.me/results/8c9e3f17-5701-4b24-ac37-cf361c54b732/
SH256 hash:
e88d0d6780b4b64c49a1f56424dd2f875a57b52b6ce0ac5c12c5c7f2bf6a7552
MD5 hash:
bb3ce3b624ae7f69fd38d7214d8853ba
SHA1 hash:
30754e3e8937a9fd9dcf472f601e34c1a20ee01e
Link:
https://www.unpac.me/results/8c9e3f17-5701-4b24-ac37-cf361c54b732/
SH256 hash:
f47b5b128b0b3de987d95202769adff649b3f3c26f7f0e31c5433462fdaed094
MD5 hash:
2587a2887e4d26d0480d7ca3caae5b7c
SHA1 hash:
20590e0fdd2f1784530c8794ce7b58725b051960
Link:
https://www.unpac.me/results/8c9e3f17-5701-4b24-ac37-cf361c54b732/
SH256 hash:
d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
MD5 hash:
c7c27e1859f1593aedb1eebf0a15175e
SHA1 hash:
deb5544c037a7757462afab46ae2ca14a8f7f945
Link:
https://www.unpac.me/results/8c9e3f17-5701-4b24-ac37-cf361c54b732/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e

Formbook

Executable exe d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c

(this sample)

  
Dropped by
MD5 44f90859deeaddb27086f3b264484f14
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133753/
  
Dropped by
SHA256 c155cdabe1d15050db0dd49057e832816ad5376a5ef744cad846230df27d527e

Comments