MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
SHA3-384 hash: bafb2debaf87075afb89e8b4f115f81b2ec3138076664c6fee5cce2bb7e510a6c1d71f5047f783a215169097d7759bb9
SHA1 hash: f47e9a3f5ded9d82b16bb609883abe20d471e9fb
MD5 hash: cd37a850eaf5df658cb98d0963efaee0
humanhash: kansas-diet-triple-mirror
File name:DEBIT NOTE DB-1130.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:853'504 bytes
First seen:2020-11-18 12:23:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:Rl1aMljBMKnw6WJoGPb5FUoRAVyImHlaw9EQvkXJM+AXhT2/KpHMeXJ5pX:5JCKxWfPNFwyIUlawdMx/kXXJ5
Threatray 2'963 similar samples on MalwareBazaar
TLSH AC059E27B2A1D873C12316788CCB5BB89D2EBED02A1B79872BF51D48DF397813416197
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: iqum.mx
Sending IP: 67.227.222.135
From: Jenny Jiang<Jenny.Jiang@bmo.com>
Subject: Payment advice for victim-domain
Attachment: DEBIT NOTE DB-1130.zip (contains "DEBIT NOTE DB-1130.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541005
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319604 Sample: DEBIT NOTE DB-1130.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 34 www.wichypr.net 2->34 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 6 other signatures 2->44 11 DEBIT NOTE DB-1130.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 14 DEBIT NOTE DB-1130.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.volksautomobile.com 192.185.0.218, 49760, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 literaworld.com 50.116.112.244, 49757, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 18 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 09:37:19 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66fb5peyuhauqjlezrskpuilu7a62a2zdogox25hf4t56win2v6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0a52da9ff52bac0092e953e1127ddacb2875f1e908bcdcc0eb13559313978f1a
Formbook
15c7df3fd38078bfe8814c09bc69279c91ae32fc7178912998b6eca91f4d82b8
Formbook
6499e8029a2f0db6a6a601d425217cd6bf076fe96accdce24fe042b24001bc8f
Formbook
797dd6c7fd666d180638505d42d8803dffa37e8b76104fe77b21a680524242e7
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
e0f3cc45f5f9d758b91fc99dbc5b838e8658fa28bad234825318e18d11806681
Formbook
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
Formbook
e9291adc295e241009821c0ee671dd9ee44cca5cc466ecd20cc8bbab53931c8c
Formbook
ec5a75f9492dd42e6da3aedf206c5ff750b1ab67b75a88410e967c8c87bd65b7
Formbook
+ 2'953 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201118-bbnyl5jwhs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.tltans.com/ihm3/
Unpacked files
SH256 hash:
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
MD5 hash:
cd37a850eaf5df658cb98d0963efaee0
SHA1 hash:
f47e9a3f5ded9d82b16bb609883abe20d471e9fb
Link:
https://www.unpac.me/results/035d69ee-cd7e-4d6e-bf6e-412ae12a0694/
SH256 hash:
e0646e500211542b9e9b7058c6dfecf2ef89083f21027e26bd416167d2d5924b
MD5 hash:
11576ea6d8afa7d9881459859c8f41ef
SHA1 hash:
fa45616fc638aab66e00707b9dfce4759147e1b4
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/035d69ee-cd7e-4d6e-bf6e-412ae12a0694/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7a5d2c11295177b01b3ce892b63e5440efd493385d2b93956df2f1497ad758e3

Formbook

Executable exe f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d

(this sample)

  
Dropped by
MD5 f8d5dd20427843caeb6a81fc38efaf59
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7a5d2c11295177b01b3ce892b63e5440efd493385d2b93956df2f1497ad758e3

Comments