MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8
SHA3-384 hash: ba03d0e2e1a411fd15c079ccc9f080ffc4769447235bec7bd54cc264eb21eb20de5b66b5a8236948975db5a456036746
SHA1 hash: a48ae5691fa6c0ea89ea77f228325c62dfe6725f
MD5 hash: b23671714a2acee8b2056b92844b2226
humanhash: black-fifteen-alanine-sodium
File name:FedEx AWB# 774174658339,PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:523'677 bytes
First seen:2021-08-05 13:05:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea8de473df0698dc330fdb95b5eda1f1 (3 x Formbook, 1 x NanoCore, 1 x Loki)
ssdeep 12288:sp+Mbi7sTn/NyYhj3lPUKqEVBgzdzVQAlZ9QwEN7Gq:sApsDVyYB3lPUK3BgDQA5jeKq
Threatray 4'489 similar samples on MalwareBazaar
TLSH T142B4F191B4C1C4F8D4784934CCA4D6A41626FCBA89614EEF37EC37AE9A311C2793716B
dhash icon 106979f2f0e0c0d0 (1 x Formbook)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEx AWB# 774174658339,PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-08-05 13:09:40 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/87125c0f-94dd-437b-be5e-37d1653f3476

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176650/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.18087.12929.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/379836a7-3232-4ed9-ba24-7b8fe51a0670
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827594
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460024 Sample: FedEx AWB# 774174658339,PDF.exe Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 30 www.highendsmokeshops.com 2->30 32 www.faithhonorsupport.com 2->32 34 faithhonorsupport.com 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 11 FedEx AWB# 774174658339,PDF.exe 1 2->11         started        signatures3 process4 signatures5 62 Maps a DLL or memory area into another process 11->62 14 FedEx AWB# 774174658339,PDF.exe 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected process8 dnsIp9 36 www.thaipayakorn.com 172.255.209.118, 49741, 80 LEASEWEB-USA-SFO-12US United States 19->36 38 www.cafe2hk.com 8.210.131.36, 49736, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 19->38 40 15 other IPs or domains 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 52 Performs DNS queries to domains with low reputation 19->52 54 Uses netsh to modify the Windows network and firewall settings 19->54 23 netsh.exe 19->23         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 23->56 58 Maps a DLL or memory area into another process 23->58 60 Tries to detect virtualization through RDTSC time measurements 23->60 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
xloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 13:06:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5i4kajvzyf3ezr7bakgjm5gcznx66tcimg5giolwy2dou6oqid4a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00e599fadd6b7cd568751d9741ad77f85a7c9fdea785deed6898f348efd794fd
Formbook
6c8d9b097832fec5088306fabfeb26cf5aa0c67153134f4c5e356cee935f871e
Formbook
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
Formbook
96bd9ed85e93c31a337a92e99fd6e1966f68f1a28fef43a21da725c36405988c
Formbook
ab95bc3c40647b2b700cdb9aba76b6de220fd528fd194e6071c1747df6cb78ce
Formbook
bc4765682b3b1250e178d1154cfd56fbe1fb4ac0c8e8346d9e6f3ed6c661907d
Formbook
d2ebab1807dd44bad7b61ac4b53e5d4e8dcdd1daa20d521c778400610fc1a252
Formbook
e05f95a61609a00f7c8372823b0cd8731524e3d938c8f54a11922491e1a70989
Formbook
e091222f766082c33c0606405115206cb2d915929dfe2ac899b1945d6442c512
Formbook
e9f37a053f32c4f4732ba0ff24dba4d0a57a4e2dc8e8f1698e5601385371ce8e
Formbook
+ 4'479 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader loader rat suricata
Link:
https://tria.ge/reports/210805-enb7b5yjvx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Malware Config
C2 Extraction:
http://www.sutsci.com/d8ak/
Unpacked files
SH256 hash:
f1098cf2ae8172065704ec8de1019c12ad33f32702a85de4cf0d031b9ecffb4f
MD5 hash:
93ce48f18608490a9aa3dce9a0db8d1d
SHA1 hash:
be8942eb02cee58663c7db1b1e14d08e77abd406
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2cb02faf-b7e1-4aae-bd7e-3b1d875615f9/
Parent samples :
2fcedf25cd8c0df5db7864ff3663f6a923eb3cdf1a30619a2eeb69df58e1c4f1
42081326f379275d4b731f76f2d932cd72cd2c404ed654ee281b66b08e59f6f7
9b985974efb3d7555b61cec77f2667cd6aca5f74a07f712b3aa58a54aa03bebb
ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8
8c0e95028944337b1e8a9e8dcc4ba141b535a4ee7dde151ca464238976039337
SH256 hash:
ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8
MD5 hash:
b23671714a2acee8b2056b92844b2226
SHA1 hash:
a48ae5691fa6c0ea89ea77f228325c62dfe6725f
Link:
https://www.unpac.me/results/2cb02faf-b7e1-4aae-bd7e-3b1d875615f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea38a026b9c1764cc7e1028c9674c2cb6fef4c4861ba643976c686ea79d040f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/176650/

Comments