MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
SHA3-384 hash: 0a85f54f7e4e7bc5965e6a42840386000833e45e454c2cee43da727a374775d922247d918fb063a37a12572e63f2fb54
SHA1 hash: 07150c8377209b185e017d858f0cd6704ab2c732
MD5 hash: d7e382bb4854061f9fc7a9806da0d7af
humanhash: echo-seventeen-fourteen-delta
File name:Payment_4372889.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:753'152 bytes
First seen:2021-01-18 09:06:52 UTC
Last seen:2021-01-18 10:42:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:eVUQ/6AbON2NdJxJF0ypc4BsgMBaaIocOPjrqi0aAyEr5bBBlGh+:5QCAPdJx24elcOPP/EVQh
Threatray 3'498 similar samples on MalwareBazaar
TLSH 76F48C1457DDDB21E7FCA7F9AD1090A036A9E686F258E77CC972B0916822C7804DFF90
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: smtp2.hiworks.co.kr
Sending IP: 121.254.168.210
From: 조재민 <newiz8@dsmecasys.com>
Reply-To: "조재민" <newiz8@dsmecasys.com>
Subject: RE:OUTSTANDING PAYMENT
Attachment: Payment_4372889.lzh (contains "Payment_4372889.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_4372889.exe
Verdict:
No threats detected
Analysis date:
2021-01-18 09:15:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e226c138-9d6f-45d9-a9cf-5b0da53af00c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112518/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.3454.3280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583552
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340811 Sample: Payment_4372889.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 11 other signatures 2->52 10 Payment_4372889.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...\UEwFjeYBtPwSqZ.exe, PE32 10->32 dropped 34 C:\...\UEwFjeYBtPwSqZ.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp47C6.tmp, XML 10->36 dropped 38 C:\Users\user\...\Payment_4372889.exe.log, ASCII 10->38 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->62 64 Tries to detect virtualization through RDTSC time measurements 10->64 14 Payment_4372889.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 nikolcosmetic.com 34.102.136.180, 49756, 49757, 80 GOOGLEUS United States 19->40 42 www.sorryididnthearthat.com 19->42 44 3 other IPs or domains 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 WWAHost.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 05:56:14 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zkz2z54vwk7ytq6nsdhscfqxbbtqrzkgdji2ng2ifoh566ur4vq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
005051028cd70b06d41a9703a87b07dfd779d03395073edf6d43aaa10a719040
Formbook
1285da1bcd0075a10d2e8f1d3811ceebacef662558186c6550ccc29c53e699b3
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
709b457160612a42a7714a517690760f05b09fb55f61570632500aa14328deec
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
94bae4886fe8942d256a84af00ae297e560b1711272c0d7b05d89f98c8067890
Formbook
9ed73237c4de3ed96e8d90f4d94dcbb46bf7c947961e40601852b8bad6c03f52
Formbook
bd53fc041a6e364f163c70e2bcf38a1565f3764a31b8c94de466fce780f9ab71
Formbook
fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
Formbook
+ 3'488 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Link:
https://tria.ge/reports/210118-avl64cppqe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.merckcbd.com/dei5/
Unpacked files
SH256 hash:
1d6ecf546163882d34d4bb2b7afa3889506ca3036ed536c4ed972ed89bdf5035
MD5 hash:
fb169513679d349cb2a7e4121bacfd4a
SHA1 hash:
26619d7ce0a175b9fc4fbfd7f4b105050562924f
Link:
https://www.unpac.me/results/34c32d99-25cc-47d7-9a13-5438cb2c636f/
SH256 hash:
ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
MD5 hash:
d7e382bb4854061f9fc7a9806da0d7af
SHA1 hash:
07150c8377209b185e017d858f0cd6704ab2c732
Link:
https://www.unpac.me/results/34c32d99-25cc-47d7-9a13-5438cb2c636f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

lzh 5f78f204c4573b95d5cd1cf48ccb73492402a043a158644984fd81a220ac74f0

Formbook

Executable exe ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b

(this sample)

  
Dropped by
MD5 5a72dcd2f683cd77dc7642d45d4060de
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112518/
  
Dropped by
SHA256 5f78f204c4573b95d5cd1cf48ccb73492402a043a158644984fd81a220ac74f0

Comments