MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11
SHA3-384 hash: f1192fc8c877114434920c28e10eaf983ae7b309e618947541cdcb136e057fe055514b3c5e240fde74d889dc84bfc22f
SHA1 hash: 16f5f3c6cdefa863184ee9081a32af736e07eefa
MD5 hash: a709f543a19335dd25778eb0dfe66cb4
humanhash: kansas-yellow-one-salami
File name:Purchase Order_80976678_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:359'424 bytes
First seen:2021-01-19 07:32:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 616765ca1e3c367f5f3771d38d13b610 (7 x Loki, 4 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:G3CDRM9sIkrdnvegUmCeybtdxT1eDDpFDvcZgAiQRMO0jqHVXbQa6unXe:ef9HmdveKCe6tUfigQRMzqRUunO
Threatray 3'542 similar samples on MalwareBazaar
TLSH 7B74CF31B1C1D431D07302B25274E7B209BE7E325BB558DBAFEA9D5D09B81E1A326363
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: 45-135-135-84.cprapid.com
Sending IP: 45.135.135.84
From: PURCHASE MANAGER <purchase@pennhvac.com>
Subject: Purchase Order
Attachment: Purchase Order_80976678_pdf.xz (contains "Purchase Order_80976678_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order_80976678_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 07:46:29 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/45f0caef-9055-44c5-9dd8-0717ff03a531

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112789/
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584692
Signature
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341383 Sample: Purchase Order_80976678_pdf.exe Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 6 other signatures 2->41 10 Purchase Order_80976678_pdf.exe 2->10         started        process3 signatures4 49 Maps a DLL or memory area into another process 10->49 13 Purchase Order_80976678_pdf.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 27 mct.ltd 51.68.37.224, 49738, 49754, 80 OVHFR France 16->27 29 www.muenker.world 217.160.0.195, 49735, 49752, 80 ONEANDONE-ASBrauerstrasse48DE Germany 16->29 31 17 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 raserver.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 07:32:20 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rkcsmu5umfoaazleaxz5elfwctlho5jooevsabgyf5yy4pqh4iq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
Formbook
7a847a23a2407172035d5eeb7fe1117c851b2947e133c1ca3a236293e5fc5432
Formbook
86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0
Formbook
9763034a6f6e93c907471ca361e619f5fe5ec0b3aeb301cd046bd877c62aaea7
Formbook
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
Formbook
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Formbook
c2aa09fda8ed6089db384994dc58fe814ff5a725ea05cd1ccca910b0d901301a
Formbook
c4527be43e6ad0e3eb7e8ca1bf26c120c0c5eef996716178a87bbe2b807efa57
Formbook
e973f018b330b3afa0ce25d89e8e5eece3d187309e27265718cd333c28332c0b
Formbook
f73c1a2549b119a5de3964cdcbbdbefbaca205e1f149b4d77688a92285b4d20b
Formbook
+ 3'532 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210119-5stpt97s5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.chuanxingtong.com/j5an/
Unpacked files
SH256 hash:
0af1091d1e3f3430d35866fc89b7d9c628c59bf9bdfbe95c78b187710f7f8bd4
MD5 hash:
1ac6e734bc4f34da87e70bca3db3d1aa
SHA1 hash:
383860d0b38c86cc49d1c7d6987b32880bffce5d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/661cb911-a80b-4230-9adb-b6bba983a9f3/
Parent samples :
f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11
2d62d3a5d3989b0dcc3484bf4d5fc73fe78546efad83d8cf0fd12b19e2ea65f7
SH256 hash:
f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11
MD5 hash:
a709f543a19335dd25778eb0dfe66cb4
SHA1 hash:
16f5f3c6cdefa863184ee9081a32af736e07eefa
Link:
https://www.unpac.me/results/661cb911-a80b-4230-9adb-b6bba983a9f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

xz 706a8a2b88669d6db35c7c3928f80c04a4224e71dcf7790667bf1b0edc58d25f

Formbook

Executable exe f45429329da30ae0032b202f9e9165b0a6b3bba97389590026c17b8c71f03f11

(this sample)

  
Dropped by
MD5 3519b7f8cbaba6ee7f14b59d5ed99090
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112789/
  
Dropped by
SHA256 706a8a2b88669d6db35c7c3928f80c04a4224e71dcf7790667bf1b0edc58d25f

Comments