MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f
SHA3-384 hash: eeeb8beb81a639f1b9cbea32c2c2fd33245dd4d6beadbd92efe3d529368cb5b68fcdbf5d87733a65f53b4868d5503c89
SHA1 hash: 508fc08fd08a6bb71ce2dea3ce555d9dd41130df
MD5 hash: 5a880f5b3451f027b15c0b0da73c9fbe
humanhash: texas-johnny-alabama-hot
File name:New_PO#98202139.xll
Download: download sample
Signature Formbook
Create hunting rule
File size:3'584 bytes
First seen:2021-06-22 11:39:23 UTC
Last seen:2021-06-22 14:29:15 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e0e60085324190935de6eada570c51a9 (1 x Formbook)
ssdeep 48:ZvtI3nC+mLdB3lISqploz7AYy9xovpvrBLzs:Z1KnC7LD3kMfyjwTZs
Threatray 5'913 similar samples on MalwareBazaar
TLSH 7771337A63D0C9F0D1181B792E935349E579F234972385243790A51F2CBF950297DB52
Reporter lowmal3
Tags:dll FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Terse
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167544/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader.origin.18922.19156.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/243211ac-c771-4f57-97a0-c4d3b2062284
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805920
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: MS Office Product Spawning Exe in User Dir
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438331 Sample: New_PO#98202139.xll Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 35 www.ticeye.com 2->35 37 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->37 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 12 other signatures 2->67 9 EXCEL.EXE 22 25 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 39 www.esportesht.com.br 9->39 41 esportesht.com.br 162.241.2.66, 49731, 80 OIS1US United States 9->41 31 C:\Users\user\...\blackdimondr3872222.exe, PE32 9->31 dropped 33 C:\Users\user\AppData\Local\...\sxx[1].exe, PE32 9->33 dropped 16 blackdimondr3872222.exe 4 9->16         started        43 www.guniverse.net 213.186.33.5, 49755, 80 OVHFR France 13->43 45 www.mirefacciononline.com 104.21.63.141, 49748, 80 CLOUDFLARENETUS United States 13->45 77 System process connects to network (likely due to code injection or exploit) 13->77 20 msiexec.exe 13->20         started        file6 signatures7 process8 file9 29 C:\Users\user\...\blackdimondr3872222.exe, PE32 16->29 dropped 47 Multi AV Scanner detection for dropped file 16->47 49 Machine Learning detection for dropped file 16->49 51 Writes to foreign memory regions 16->51 53 Injects a PE file into a foreign processes 16->53 22 blackdimondr3872222.exe 16->22         started        55 Modifies the context of a thread in another process (thread injection) 20->55 57 Maps a DLL or memory area into another process 20->57 59 Tries to detect virtualization through RDTSC time measurements 20->59 25 cmd.exe 1 20->25         started        signatures10 process11 signatures12 69 Multi AV Scanner detection for dropped file 22->69 71 Machine Learning detection for dropped file 22->71 73 Modifies the context of a thread in another process (thread injection) 22->73 75 4 other signatures 22->75 27 conhost.exe 25->27         started        process13
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-22 05:41:36 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i2wwpm6ggmggbnpavrt6faeraqrgsm5i2qfaukfuubb3d6nxrpq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2f37c93400fdd92118fb19c318001038022836301f00dd805b0e97fd53773d5d
Formbook
41fb70f36b56d60a096ac2a89d7d9d2e6c75cf7725a75fd93ffebfcaabcb8e04
Formbook
6c8b4de0f39caa11127409b3ee06f410b0c5642b840f10822ad40af5745690cb
Formbook
7f81bdd235dca279812a46cec7f585bde9d681906dba1398e8ac86dfc877d079
Formbook
8503c4ec4121647a225068e8defe8ff2e4cfc61a94dcd3c261ec5acf38dfa73b
Formbook
8f0337a6ceabb0f235950c20db817d766d4b9e5cf8831e60ef766c82f33f7dec
Formbook
b3c5b3cf581d15fcbacf67b4bdba199bfe7089704875746109b3206eb07b99e2
Formbook
d0116b0ea676a655b1d55a2b7a79fb2585c1d04803e9d1d6f9cd1da15f789138
Formbook
f130539b2d2324246449abb99f5a0effb214feee629b092d48ac63aca14e2ba6
Formbook
f6b1a22c0cfc0c363bb163b7bd3236ee1dac2995a3511a6a941b7a7af656ba25
Formbook
+ 5'903 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210622-hzv1sej8ta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.share-event.info/wlns/
Unpacked files
SH256 hash:
ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f
MD5 hash:
5a880f5b3451f027b15c0b0da73c9fbe
SHA1 hash:
508fc08fd08a6bb71ce2dea3ce555d9dd41130df
Link:
https://www.unpac.me/results/6eb48a06-8e8c-47eb-bfaf-8573ae9b9833/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

DLL dll ea356b3d9e31986305af05633f1404882113499d46a0505145a5021d8fcdbc5f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167544/

Comments