MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fac8654450974c4648e94d6e8cbc40a1afcb538ff5b35f551b2a876d7b03cb36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fac8654450974c4648e94d6e8cbc40a1afcb538ff5b35f551b2a876d7b03cb36
SHA3-384 hash: 9a9b1385c4b2547e04c3d39741fb733ef694adc897906d65f9b885561875ce9474cb7ebbcdf424abd729c3281b081978
SHA1 hash: b07e77f8cd5320b383c2ccaf92acde8414ce33ed
MD5 hash: 4278394588730065a85e59978a5717a2
humanhash: thirteen-georgia-white-hot
File name:Order_20180218001.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:242'688 bytes
First seen:2021-02-23 07:24:35 UTC
Last seen:2021-02-23 08:45:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:FU4WpVUPAj3Ce9+9dLMqvDevPlAw6E9dAhl4ac:FEpO0xSLTvDAPlmE9Ohl4ac
Threatray 3'880 similar samples on MalwareBazaar
TLSH F0344ADD326072DFC85BD4769EA82CA4FAA1747B831B4103A42715EDDA4D89BDF180F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: curlze.site
Sending IP: 185.31.160.145
From: Amanda Liang <A.liang@synbright.com>
Subject: 采购订单 - victim-email - PO#652
Attachment: Order_20180218001.rar (contains "Order_20180218001.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118518/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.91353.88.5819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Sending a UDP request
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614929
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356469 Sample: Order_20180218001.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 33 www.petarsandmay.com 2->33 35 www.excelguitar.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 5 other signatures 2->49 11 Order_20180218001.exe 1 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\Order_20180218001.exe.log, ASCII 11->31 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Injects a PE file into a foreign processes 11->65 15 svchost.exe 11->15         started        18 svchost.exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected 75 Tries to detect virtualization through RDTSC time measurements 18->75 process9 dnsIp10 37 www.keipy.com 135.181.57.206, 49743, 80 HETZNER-ASDE Germany 20->37 39 learninghealthnetwork.com 34.102.136.180, 49728, 49730, 49745 GOOGLEUS United States 20->39 41 21 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 24 control.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fac8654450974c4648e94d6e8cbc40a1afcb538ff5b35f551b2a876d7b03cb36/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 07:25:26 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7legkrcqs5gemshjjvxizpcaugx4wu4p6wzv6vi3fkdw26ydzm3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1432f0240c91b7439722df807e35ef9b4cc9b126f3e5d42cedb27b28751118d7
Formbook
170eb254fe7cae506272dd7f934000734f55648fcefab6843eca50311a98a07d
Formbook
1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
Formbook
36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983
Formbook
38b6a40d2eeddf38695294c57971fc2efab81fea95100260a2003baa13616b83
Formbook
561562923f5bb53f6113b9a15c60cf2755437556e9e48cdc3fc3ae7ebe0171a7
Formbook
67bf85e54212cc6dd8e3f3bdfe292d7440ae7f7ad5f131f9c8b5ea51a86c1e96
Formbook
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
Formbook
cfc09cd2a2109a174ccbc346779f2e19316be4601173e2e85c3e4314cc139017
Formbook
dc5f7d89ab2465597ff7fa9f544326613aeaab2afa6e2e457ba5fc0da15bd450
Formbook
+ 3'870 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210223-5cgqvnsysx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.pamsinteriors.com/seon/
Unpacked files
SH256 hash:
fac8654450974c4648e94d6e8cbc40a1afcb538ff5b35f551b2a876d7b03cb36
MD5 hash:
4278394588730065a85e59978a5717a2
SHA1 hash:
b07e77f8cd5320b383c2ccaf92acde8414ce33ed
Link:
https://www.unpac.me/results/674f8120-4f8b-449b-a3b0-592a6bdab254/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fac8654450974c4648e94d6e8cbc40a1afcb538ff5b35f551b2a876d7b03cb36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 413703a6c40424d090512f243c2c406b346cb15b3f5d6d11d8b83828d38d32f0

Formbook

Executable exe fac8654450974c4648e94d6e8cbc40a1afcb538ff5b35f551b2a876d7b03cb36

(this sample)

  
Dropped by
MD5 4d51109a78fd0e81d3762fdf8fdf7e95
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118518/
  
Dropped by
SHA256 413703a6c40424d090512f243c2c406b346cb15b3f5d6d11d8b83828d38d32f0

Comments