MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85ecd006f87b6e19f200e637cf0430caa02f0af5e58d68437f270668a7fed59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e85ecd006f87b6e19f200e637cf0430caa02f0af5e58d68437f270668a7fed59
SHA3-384 hash: 89123c44449c70b49395d9c43e7e52b7db06df54d2d4410cf8af380dcfc134f878bf4e0f7f7f72aea427a7b30f37f5b7
SHA1 hash: 043d200c179ad715e5420d3c45527f1e27290342
MD5 hash: 51f479036e737c8d710c438b7a4f90a0
humanhash: shade-bakerloo-oklahoma-montana
File name:products order pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:923'136 bytes
First seen:2021-08-07 06:14:25 UTC
Last seen:2021-08-07 07:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d5a297711f10a7812e2ede65c7414a0e (1 x Formbook)
ssdeep 12288:Adt6DrpCBh2mPNFL9X0QO7M3LdWJEkjSKZymLv0xY8:oCpC6mPnRX0Qgc0JEkjDU
Threatray 7'511 similar samples on MalwareBazaar
TLSH T1BC156CE2F3D9A47BC11B16B05D1F9BA87131BD511C68E14372A17F282A79FA2340B4DB
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
357
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
products order pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-07 06:16:45 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/6ad5d35b-9ef4-47e0-80f9-9b01f3d710f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177116/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.8128.6422.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dab14f9-5c8a-46c6-bf42-f75567af4b99
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828568
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460999 Sample: products order pdf.exe Startdate: 07/08/2021 Architecture: WINDOWS Score: 100 29 www.citestaccnt1598677757.com 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 4 other signatures 2->45 11 products order pdf.exe 17 2->11         started        signatures3 process4 dnsIp5 37 cdn.discordapp.com 162.159.129.233, 443, 49735, 49736 CLOUDFLARENETUS United States 11->37 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Creates a thread in another existing process (thread injection) 11->61 63 Injects a PE file into a foreign processes 11->63 15 mobsync.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 31 www.cfwg123.com 107.149.37.159, 49771, 80 PEGTECHINCUS United States 18->31 33 www.shuziyuming.com 165.154.2.137, 49777, 80 INTERHOPCA Canada 18->33 35 12 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Performs DNS queries to domains with low reputation 18->49 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e85ecd006f87b6e19f200e637cf0430caa02f0af5e58d68437f270668a7fed59/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-08-07 06:15:15 UTC
AV detection:
15 of 47 (31.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bpm2adpq63odhzabzrxz4cdbsvaf4fplzmnnbbx6jygnct75vmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
028fb2b55806708dc61ab34ad360998449e5710eca9d0f85cae4987c6144acf6
Formbook
1cfec89b2bfbcdd400f0cd58741a2d7a218bb2bbf2399b55833c6f4a64829883
Formbook
43aa01ebbd20c81ee60bd5b6bacabcdd0a84e0aeb892c0ea18383261dbcdb0fb
Formbook
4f88fcf537adbb598d8335dd88dba85c97ed666930084bf718502938eb75bc42
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
7256b8519136bbe02f9ff0ab9706bd9710de5fc4b6c0c3b82ccec398d86fe3ea
Formbook
79adce5b035cc593f8a511be0217da0c1b4686b9215dbd648529c2aa00e04807
Formbook
84d44657f148197e79e253ab0b50cdd8003e2b760318f9ab760b47fe4e25a594
Formbook
94b5ba8b9cf0c9b6d3e790aadc37b8afb3099af0d151761d5c7196dd6fb81539
Formbook
95eedb3eaf98ec12d5f66609278d43f94e1f635420d413ee0672bbf9434aafa4
Formbook
+ 7'501 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:nt8e loader rat suricata
Link:
https://tria.ge/reports/210807-94l8zd998s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.brandonprattdrums.com/nt8e/
Unpacked files
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/5fbdb944-d1e9-4b7d-88c1-9b8f323b387f/
SH256 hash:
e85ecd006f87b6e19f200e637cf0430caa02f0af5e58d68437f270668a7fed59
MD5 hash:
51f479036e737c8d710c438b7a4f90a0
SHA1 hash:
043d200c179ad715e5420d3c45527f1e27290342
Link:
https://www.unpac.me/results/5fbdb944-d1e9-4b7d-88c1-9b8f323b387f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e85ecd006f87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e85ecd006f87b6e19f200e637cf0430caa02f0af5e58d68437f270668a7fed59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177116/

Comments