MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f
SHA3-384 hash: 4845df77663bcce254e4fe445c583e321a4b3626f973830304f56cf236ea625f2dd71c7b9ada2e959a036fa0413f760e
SHA1 hash: 362eda0fa5bd2cd4f50d0f7e9cf0cc641a08b163
MD5 hash: ec44d0c4ec44347f9f8ee63b4bec5210
humanhash: mobile-zebra-uncle-seventeen
File name:Order Specification Requirement With Ref. AMABINIF38535.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:571'904 bytes
First seen:2020-11-19 06:57:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28f23f3d8e8caef0d96e308e79b83dbf (1 x Matiex, 1 x AgentTesla, 1 x MassLogger)
ssdeep 6144:AO6oVJ59N2c3FEyohRbTnIkwcDku8dQDKfcQqUwSLjiXTkgQ:ASJ59r3F0bTnlwcDkuzMcfSLYTTQ
Threatray 3'019 similar samples on MalwareBazaar
TLSH 08C47B25EA848739D76BCE3661DEAD90C1F8AE3149E34C871FBC7B6519300F0636E652
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail0.chuncable.xyz
Sending IP: 143.110.147.241
From: Amacon Makgoka<amacon.makgoka@hotmail.com>
Subject: RE: RFQ Request For New Order With Reference: AMABINIF0865
Attachment: Order Specification Requirement With Ref. AMABINIF38535.7z (contains "Order Specification Requirement With Ref. AMABINIF38535.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/542316
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320253 Sample: Order Specification Require... Startdate: 19/11/2020 Architecture: WINDOWS Score: 96 33 www.takeactionphysio.com 2->33 35 www.foodloversdirect.com 2->35 37 3 other IPs or domains 2->37 51 Malicious sample detected (through community Yara rule) 2->51 53 Yara detected FormBook 2->53 55 Machine Learning detection for sample 2->55 57 3 other signatures 2->57 10 Order Specification Requirement With Ref. AMABINIF38535.exe 2->10         started        13 SearchUI.exe 3 35 2->13         started        signatures3 process4 signatures5 61 Maps a DLL or memory area into another process 10->61 15 Order Specification Requirement With Ref. AMABINIF38535.exe 10->15         started        process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 cmmon32.exe 15->18         started        21 explorer.exe 15->21 injected process8 signatures9 45 Modifies the context of a thread in another process (thread injection) 18->45 47 Maps a DLL or memory area into another process 18->47 49 Tries to detect virtualization through RDTSC time measurements 18->49 23 explorer.exe 4 179 18->23         started        27 cmd.exe 1 18->27         started        29 msdt.exe 21->29         started        process10 dnsIp11 39 www.exm-dronesecurity.online 46.30.211.38, 49753, 80 ONECOMDK Denmark 23->39 41 www.querooo.com 208.91.197.91, 49755, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 23->41 43 2 other IPs or domains 23->43 59 System process connects to network (likely due to code injection or exploit) 23->59 31 conhost.exe 27->31         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 06:58:09 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5vqyfxzunhp5yqeev2qkzi3rjkietbab2yempiflqgbstrbkwipq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
124bbabecb8fc90f529eabfbd3aec4e4604782ca267c954ecf9cf38f48b43aa4
Formbook
2128551c6363325c0d054a9a4d19bd066a9bde70d6ee860535d298d6961b54d7
Formbook
5120376bed226fac5d8eb936eb1f798fc4f7f51e263e40a2e9b16fcb949eb6e2
Formbook
543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec
Formbook
6499e8029a2f0db6a6a601d425217cd6bf076fe96accdce24fe042b24001bc8f
Formbook
8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e
Formbook
c12ceb5bc795285eff54b3ef08c9208c67148b5c446e21084677c25bf8c56112
Formbook
c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
Formbook
f413624c125a8e6e6e8f4ece883a646fe784bc5a8f4f21185da1df43adc76da1
Formbook
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
Formbook
+ 3'009 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201119-94ysdnpcxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.querooo.com/utau/
Unpacked files
SH256 hash:
ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f
MD5 hash:
ec44d0c4ec44347f9f8ee63b4bec5210
SHA1 hash:
362eda0fa5bd2cd4f50d0f7e9cf0cc641a08b163
Link:
https://www.unpac.me/results/bdf8f265-29d6-402a-9af5-403a3b938560/
SH256 hash:
465ca13652977ac967dafaf9559cd759cccb49e3661ff64bf4c410054f6d80e1
MD5 hash:
dacaaf63843b1b964429c0e9235c407d
SHA1 hash:
80c291e86827553b4c4154e15dea5fff43ab4773
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bdf8f265-29d6-402a-9af5-403a3b938560/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ed6182df3469/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z dc6b7fb2c6963ba1b12de3e5127adc79809e06f89bd06da18cdeb3694f525278

Formbook

Executable exe ed6182df3469dfdc4084aea0aca3714a90498401d608c7a0ab818329c42ab21f

(this sample)

  
Dropped by
MD5 6dc7c21c8fde0a4cf5fe492448de112d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dc6b7fb2c6963ba1b12de3e5127adc79809e06f89bd06da18cdeb3694f525278

Comments