MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257
SHA3-384 hash: 55016d145c1aeca028ab4a252e1cd9e532aa9a717ea75a3ade48e6946c2a52918f987845a36a481c4b8bf4f94b0b2770
SHA1 hash: 0ff15813f1dfe3795ab4ced8ee282360d3cf329e
MD5 hash: a0c70a509c6122b6a5c004d08ddb7fc7
humanhash: september-robert-enemy-helium
File name:po.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'336'320 bytes
First seen:2020-12-17 08:51:06 UTC
Last seen:2020-12-17 10:29:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:0wEMyreyOFHIyjmb5EP5tGoL/IX8xg8A6n/VYFHXNLlT:Lyre13jAI3L/Isxg8A6n/VYpdt
Threatray 3'189 similar samples on MalwareBazaar
TLSH E0558E14B7ED6708F1B7DB76C9D464A1C6FEBD226315D82F2CD022CE0662BC88E51627
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail-smail-vm44.hanmail.net
Sending IP: 203.133.180.232
From: 존 박 <alim119@daum.net>
Subject: 우리를_인용하십시오
Attachment: po.cab (contains "po.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
po.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 03:00:53 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/c8c2ecdb-f9cc-4a83-8725-f1582b535cfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.480.3643.26246.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565225
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331696 Sample: po.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 31 www.sullian.com 2->31 33 www.kennyxpress.com 2->33 35 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->35 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM_3 2->47 49 2 other signatures 2->49 11 po.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\po.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 po.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.vehiculesfrigorifiques.com 213.186.33.5, 49738, 80 OVHFR France 18->37 39 healthpassportasia.com 34.102.136.180, 49745, 80 GOOGLEUS United States 18->39 41 7 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmd.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 08:52:05 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ipedaacjqn3c5qqutannu75ic4ghq2ac2ytd4oobd54yfam4jlq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
Formbook
1c1b7da24da155de4bfc0447f6b191cc1d4fe6af50f5663503cdb039029da222
Formbook
4f11e57e682eba91e574e673edce45efab46c20ad2d98826fb1b0880adee2aa0
Formbook
60e0625b9dc6a06473b96fd2972c145e71120d7d6a106713c76d7be4ccf75478
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
Formbook
988d2c306698b469a52c807a28fbd030868b108458ed2b72e6f776f2ed933703
Formbook
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
Formbook
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
Formbook
+ 3'179 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201217-ehtqzd15ha/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.timoniks.com/rbg/
Unpacked files
SH256 hash:
63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588
MD5 hash:
fc6398e3e937efd3ec3b835312111b12
SHA1 hash:
1df5edc9d3e24de6032d3569db24c58f79f65476
Link:
https://www.unpac.me/results/5c2b91b4-af0c-4f68-9ee8-99ccae1ea820/
SH256 hash:
e44f7a5b6ea0adfa8cfcb37b2ad07a4345c5e9aac1b80be423faef6791e3ca68
MD5 hash:
a85b114faa12af0dbacf455fe7b58a0a
SHA1 hash:
22e2b28bf248ac9878c469e3072c6c667c24fdc7
Link:
https://www.unpac.me/results/5c2b91b4-af0c-4f68-9ee8-99ccae1ea820/
SH256 hash:
442fefc9543033cf5c95e8c037bf9a20ec46659426d056e09ee7a4df8f3c3247
MD5 hash:
d0b90276245cc2912f83f43cd782a9d3
SHA1 hash:
ed3ca9d0423f15b767584d3a1ff6ea4cc20d7454
Link:
https://www.unpac.me/results/5c2b91b4-af0c-4f68-9ee8-99ccae1ea820/
SH256 hash:
c347153fdef49fe1c7937bfe439e51c771923677a4b7a5578bd8b88a5e2fc9b2
MD5 hash:
92e611e075c477df421bb505f311dce5
SHA1 hash:
28a969df0932dec813ac1f61184d1e5d98d2014e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/5c2b91b4-af0c-4f68-9ee8-99ccae1ea820/
Parent samples :
fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257
ae73e8799690e6e7efe2222fe8a471af2c7f7f0f82dff259434626eac35a2721
931f6aeff35cea88af521bc2cdca24164113c47ab3153e148e33d5bce66313f4
2449800b54909498a549817cc5bd9b8fc610a0d7ef6fd2bfda0d370783da8d32
9a9ac9671ba6e6954776498cf28264d6c1742bc52fb070d7736d83a3582a14c8
e10a18344876f44eea40708f80322df6ec17eea4fec0b7de74c97aab23421600
SH256 hash:
fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257
MD5 hash:
a0c70a509c6122b6a5c004d08ddb7fc7
SHA1 hash:
0ff15813f1dfe3795ab4ced8ee282360d3cf329e
Link:
https://www.unpac.me/results/5c2b91b4-af0c-4f68-9ee8-99ccae1ea820/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

cab 1ce4781463935e1e51aec17db977dbb592a84dddd7d28177846d4d35633d35a2

Formbook

Executable exe fa1e4180024c1bb17610a4c0d6d3fd40b863c34016b131f1ce08fbcc140ce257

(this sample)

  
Dropped by
MD5 fac204d7b8dde2af7733f2fafe66a3ff
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1ce4781463935e1e51aec17db977dbb592a84dddd7d28177846d4d35633d35a2

Comments