MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea
SHA3-384 hash: 0bd6fadb91f740e1fdb35f855520bb55ea758b592053b60f7e49f22d8f269d970960be8cb7f9b5f31822e8aa2c59b491
SHA1 hash: 9367ab312dffe1ed08eca19be7d535108f66350a
MD5 hash: ede289307c94dd928758ea965d49e977
humanhash: jersey-utah-glucose-undress
File name:ORDER6798ERA-LBT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'025'536 bytes
First seen:2021-04-07 06:00:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:nKbR/1gDnqQOQVdXVACtxJUeLw14JT2J3ph4bLtPHSDLU2:a/1yn9VjAEJUltRpabLVHSDLU2
Threatray 4'592 similar samples on MalwareBazaar
TLSH 5425F02226A56F24FABD97799460007053F6FD47B331EA8E3CEC7D887531AC0D6127A6
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hbtovs.com
Sending IP: 111.90.139.164
From: Chery Ch <Cherych@hbtovs.com>
Subject: Attached selected items and confirmed copy of Order and Sales Contract Draft for your reference.
Attachment: ORDER6798ERA-LBT.rar (contains "ORDER6798ERA-LBT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER6798ERA-LBT.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:14:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/708c872e-e47a-4ae5-8f56-12b8b48753b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132770/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.CPN.genEldorado.22245.22298.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668298
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383084 Sample: ORDER6798ERA-LBT.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 42 www.kylayagerartwork.com 2->42 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 11 other signatures 2->64 11 ORDER6798ERA-LBT.exe 7 2->11         started        signatures3 process4 dnsIp5 48 192.168.2.1 unknown unknown 11->48 34 C:\Users\user\AppData\Roaming\afbiKEi.exe, PE32 11->34 dropped 36 C:\Users\user\...\afbiKEi.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmp8B86.tmp, XML 11->38 dropped 40 C:\Users\user\...\ORDER6798ERA-LBT.exe.log, ASCII 11->40 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 11->74 76 Tries to detect virtualization through RDTSC time measurements 11->76 78 Injects a PE file into a foreign processes 11->78 16 ORDER6798ERA-LBT.exe 11->16         started        19 schtasks.exe 1 11->19         started        file6 signatures7 process8 signatures9 50 Modifies the context of a thread in another process (thread injection) 16->50 52 Maps a DLL or memory area into another process 16->52 54 Sample uses process hollowing technique 16->54 56 Queues an APC in another process (thread injection) 16->56 21 explorer.exe 16->21 injected 25 conhost.exe 19->25         started        process10 dnsIp11 44 www.valoremamma.com 172.107.43.183, 49764, 80 AS40676US United States 21->44 46 www.x7exf2.com 21->46 66 System process connects to network (likely due to code injection or exploit) 21->66 27 cmmon32.exe 21->27         started        signatures12 process13 signatures14 68 Modifies the context of a thread in another process (thread injection) 27->68 70 Maps a DLL or memory area into another process 27->70 72 Tries to detect virtualization through RDTSC time measurements 27->72 30 cmd.exe 1 27->30         started        process15 process16 32 conhost.exe 30->32         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 06:00:21 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5io7xc2njhwqojjqkcj3djkgnvnlgon2fjnrexnv6o4hyqvyotva._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
48e99b563e3e2daea132c5da122ad630f6015456ac58d4fe86f9dc65f6a0c943
Formbook
5386335debe7df955f9f8cf8e2fa0d5d482b197a3e24c59b0197eba5bf3d28b4
Formbook
6c2f5bf673b3bbc31cf425259cd5a0262094e85a8bed03714c7b39712efc4beb
Formbook
730b276576659ea2bc17aee5e92f2cc5b9aecf9ade5f03816bde0023a783b545
Formbook
770710adcc9c97316e0f43dcc99ef1561dfe8ec086a1514d4c3d7d0d90b24181
Formbook
8afb80762bc90479ba2d8f4237e755f78ea789601781615088dfa52f3e87d72a
Formbook
9269d3cadb8c6197fa6d8cc93549e8f13db426b0b7d84f45923f24e99c429aee
Formbook
9f1090c3e94e75b134c1aa55b5e8e2b6ac9b706cd27e0bb1cc44ef4b49f27c66
Formbook
c2b8d66b59eabf04dadf3af98e03e6f3aad3f289e826852fabda188863eb679b
Formbook
d68888aa1e155ac65bd1ddabcf05f61bfff65f79a11cc0ee099200c3da8c5d35
Formbook
+ 4'582 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210407-hezk8svah6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.valoremamma.com/cw3g/
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/1a92fa30-076d-4bd8-95c8-d6b0c4411d5e/
SH256 hash:
ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea
MD5 hash:
ede289307c94dd928758ea965d49e977
SHA1 hash:
9367ab312dffe1ed08eca19be7d535108f66350a
Link:
https://www.unpac.me/results/1a92fa30-076d-4bd8-95c8-d6b0c4411d5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar e2054a668969a178ed46aa1de4630da4d397bd2cdb0cef98d4cabba80403ed08

Formbook

Executable exe ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea

(this sample)

  
Dropped by
MD5 b1f71045eff99bbdc181370889664581
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e2054a668969a178ed46aa1de4630da4d397bd2cdb0cef98d4cabba80403ed08
Cape
Cape
https://www.capesandbox.com/analysis/132770/

Comments