MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54
SHA3-384 hash: 958c065f6ef5ebf089b146fad33ad4fbb8dc81c289632c1be56a65f459e654118b1a763a046710b5e6fbc33a265b328a
SHA1 hash: 34db4e3cff83c497e6ae53781e613b8f6eabcf17
MD5 hash: f3ae12a10c48e742ef314bb751fa9148
humanhash: spring-sweet-magazine-shade
File name:Order-DOC-1073456778.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:500'224 bytes
First seen:2020-10-16 12:19:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:AQsTU+ylf5HaL4iIiskcGdvrund4QJ1EYm1HgbW5C9dBZz1f:nGUNZRK0idcGAnOQnEYmMf
Threatray 2'413 similar samples on MalwareBazaar
TLSH 2BB48CBD6B486DAEE84E5E37DC931825D539BC671E4AF102940339D82D3DEC25BB30A1
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: uzlinshpl01.uzcloud.uz
Sending IP: 185.74.4.8
From: Amanda Chen <amanda_chen@hotmail.com>
Subject: Re Re: New Order — Top Urgent
Attachment: Order-DOC-1073456778.gz (contains "Order-DOC-1073456778.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71959/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/493561
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 01:09:37 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jgy2bqlzwc33memy66u6uikqu46qqizaenlwvxj4akyimxe3zka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
7543c6fd163cc67f5bf477b5b583bfca5c094e65c6a5d5dea56e3eeb333b1cad
Formbook
767fc756f86db0b4de57b4ec14964f24af0e47eb23ba7fa1df6378bcf9986947
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
9abd8b37403ea5e7b381e0644acc6655dc01efc4be1edf69992c5a68c33eff1f
Formbook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
Formbook
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
Formbook
bdad93534a202f7d3c2f102dc39093fa12a32f5de82c76a5fb41a94e1748d99e
Formbook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
Formbook
+ 2'403 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201016-6ws66a3k6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Formbook Payload
ServiceHost packer
Formbook
Unpacked files
SH256 hash:
ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54
MD5 hash:
f3ae12a10c48e742ef314bb751fa9148
SHA1 hash:
34db4e3cff83c497e6ae53781e613b8f6eabcf17
Link:
https://www.unpac.me/results/aba872a3-0427-4c01-885c-dc96a95a89a1/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/aba872a3-0427-4c01-885c-dc96a95a89a1/
SH256 hash:
d4ab59e721c4e77bdda87b6d548039c259c4b8d3d341e5a83fa4e48e1e16806c
MD5 hash:
fd229bea827cfd66c01c3a1bcda369bb
SHA1 hash:
ad988f83531029ebe9abf4dcb63b5da064cd9205
Link:
https://www.unpac.me/results/aba872a3-0427-4c01-885c-dc96a95a89a1/
SH256 hash:
09ca57ca352785b308b82eda488d51d1046006550e99b5c17fedd4f6c8754aad
MD5 hash:
6f27761d2e48e50a9e70d235e35ebb66
SHA1 hash:
fc227b83ee24a17584301426319dc893b2087ef2
Link:
https://www.unpac.me/results/aba872a3-0427-4c01-885c-dc96a95a89a1/
SH256 hash:
4e908199c41dc11ee2886ea587a060139756e8eae41f3096e0e61100acb7b65c
MD5 hash:
e58a637f1758fa0f8eaa768638c7cc0c
SHA1 hash:
815361c73106b630647543a0c810c4b6acd8d69e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/aba872a3-0427-4c01-885c-dc96a95a89a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz be15ce41ac84d7729d5ca62cc7ca12c1022c14d7e6676c8b4000935c744fc20d

Formbook

Executable exe ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54

(this sample)

  
Dropped by
MD5 e67fe6c22722952836dafe15c76219f1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 be15ce41ac84d7729d5ca62cc7ca12c1022c14d7e6676c8b4000935c744fc20d
Cape
Cape
https://www.capesandbox.com/analysis/71959/

Comments