MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13
SHA3-384 hash: 4c1d111e63f0fc9d4394b82fef513d179ea059e46b85a9b5d23c2045bba4e3b36640e921edcd14c1df4fcc280c5e5746
SHA1 hash: a434db34fb9f8b38eeae5e07d133333c71e943dc
MD5 hash: 099a30feece3eabbcaf0deb4b25ca739
humanhash: pasta-sierra-one-bravo
File name:한라산업개발(2021.03.31).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:648'704 bytes
First seen:2021-03-31 06:58:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oTK4r3nSOLrulD0vE6Y+mVlN3YYrNJpm7t2OaBGAl6c5nw6u4aQWf1V/mW:VYnSblmYV73YGNJKoOaB3lFu4aQWNVe
Threatray 4'406 similar samples on MalwareBazaar
TLSH 16D402F01902DAE4D63953FFA524245A0AB9DFF291138F88C798F6B23127E8C5DE9147
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm29.hanmail.net
Sending IP: 203.133.180.213
From: Deoksang ENG <axxair-asia@daum.net>
Subject: 설계서 및 견적서 요청에 관한 건
Attachment: 한라산업개발(2021.03.31).zip (contains "한라산업개발(2021.03.31).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
한라산업개발(2021.03.31).exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:04:23 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/0c23c0ca-55f2-4d36-8f27-3d1237d05032

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129165/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660027
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 06:36:21 UTC
AV detection:
8 of 48 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66e3nvdkf464twapps3pzlhensx3u24mdmh5vgcjg6yfevtivmjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
Formbook
5180e6ef19db039d8365f3cb9690424e61504a80ab94a12738a633b6cdc5fccb
Formbook
5d5d64a87a5d888443e8d7a25046922fa4a39fe5952a45635dd66321e616bb14
Formbook
5f31b8fc53f4628aa678d164b995732bea8affd218185d69f1ad86e65bb7757a
Formbook
720ffc99aa96c665aae27db46f776476c37ca113db207790579adfd81c73ad05
Formbook
8c5a90a4c4470d05fff7757920aa0a8bf56edab04f4eb926ba789652f1bfc74c
Formbook
9a55287be3d6c8a74a0aa6ee3a5ea4e288ba968e44c271c9ea5d2293c8300d07
Formbook
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
Formbook
f09416ef7aaab2c43c62ef77bb69c005ec4a57d4051586f5e7d8571e74fee41c
Formbook
fbd84cb8e6af7a001f186ce8bde8bd4cb163a77113b6cee0342b148fbaf2b386
Formbook
+ 4'396 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210331-2h2bmy9tnx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.visitmatchgo.com/duy/
Unpacked files
SH256 hash:
45f3e22cf4f1b01114e34da31666d712761961d27a1714f5c2052ef22eee324d
MD5 hash:
8cc5d22083ead0fed30d2e6136eda712
SHA1 hash:
0b5214a8661e2af4486d95be9b6bd345dbdbd673
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c75d03ed-8a3a-43df-ac0a-b17f16670839/
Parent samples :
f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13
bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034
SH256 hash:
78906a909618d5886a379dc09946d8916834691f38efde921a4380d12e102d67
MD5 hash:
676d0724d9e8a5f03669346e6a64a34e
SHA1 hash:
471e2bcaf760f3dd7d772771c458ae3858050884
Link:
https://www.unpac.me/results/c75d03ed-8a3a-43df-ac0a-b17f16670839/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/c75d03ed-8a3a-43df-ac0a-b17f16670839/
SH256 hash:
f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13
MD5 hash:
099a30feece3eabbcaf0deb4b25ca739
SHA1 hash:
a434db34fb9f8b38eeae5e07d133333c71e943dc
Link:
https://www.unpac.me/results/c75d03ed-8a3a-43df-ac0a-b17f16670839/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip fbe454765e3ced656b2c3462c4c5948ffc9e42defe6eff7df4490459d3df19aa

Formbook

Executable exe f789b6d46a2f3dc9d80f7cb6fcace46cafba6b8c1b0fda984937b0525668ab13

(this sample)

  
Dropped by
MD5 671978ac691d38cf0b3213122e30fbb3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129165/
  
Dropped by
SHA256 fbe454765e3ced656b2c3462c4c5948ffc9e42defe6eff7df4490459d3df19aa

Comments