MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
SHA3-384 hash: e632416cf4c94db33cfc38886b658844495197bd38ac63aaa03402fc3f03edc7d55222cf3b223c7c419f7e12ef8eaf0b
SHA1 hash: 7be2cb509f3d56cffa419f6ac5968b2fb466d0bf
MD5 hash: f4679cfd74418e90d5343137f769c2cc
humanhash: island-summer-chicken-sodium
File name:ORDER 172IKL0153094.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:999'936 bytes
First seen:2020-12-28 07:54:53 UTC
Last seen:2020-12-28 09:28:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:g9yYjD4g25i2KMPT2yP9bcw114XnACUNCeGL2jtBzlyWa7wXImkVj4ntH2NB9O8C:SyZgQKmKM1OXIa2tvy5whccn12RO85M
Threatray 3'338 similar samples on MalwareBazaar
TLSH 5A25CF1222486B56D6B877742F21C43013F1AC199A21D6BD7DED3D8F3BBEA434972632
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: Rachel, Choi <Choi@coimtra.cam>
Subject: AW: AW: AW: ORDER 172IKL0153094 # 2020-0806
Attachment: ORDER 172IKL0153094.rar (contains "ORDER 172IKL0153094.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER 172IKL0153094.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 07:56:38 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/cb26f3d2-82c8-4724-adde-ecbd33244a12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ArtemisF4679CFD7441.11778.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570575
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334344 Sample: ORDER 172IKL0153094.exe Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 8 other signatures 2->54 10 ORDER 172IKL0153094.exe 7 2->10         started        process3 file4 34 C:\Users\user\AppData\Roaming\aRZcadF.exe, PE32 10->34 dropped 36 C:\Users\user\...\aRZcadF.exe:Zone.Identifier, ASCII 10->36 dropped 38 C:\Users\user\AppData\Local\...\tmp7EC7.tmp, XML 10->38 dropped 40 C:\Users\user\...\ORDER 172IKL0153094.exe.log, ASCII 10->40 dropped 58 Injects a PE file into a foreign processes 10->58 14 ORDER 172IKL0153094.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 ORDER 172IKL0153094.exe 10->19         started        signatures5 process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Sample uses process hollowing technique 14->70 72 Queues an APC in another process (thread injection) 14->72 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 42 ketonesconnect.com 192.185.117.218, 49760, 80 UNIFIEDLAYER-AS-1US United States 21->42 44 www.promotionalplacements.com 91.195.240.94, 49759, 80 SEDO-ASDE Germany 21->44 46 21 other IPs or domains 21->46 56 System process connects to network (likely due to code injection or exploit) 21->56 27 wscript.exe 21->27         started        signatures10 process11 signatures12 60 Modifies the context of a thread in another process (thread injection) 27->60 62 Maps a DLL or memory area into another process 27->62 64 Tries to detect virtualization through RDTSC time measurements 27->64 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 02:40:47 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wu3zffvwcaz7mktcf6eua3smite27jc2jqq5l6ulr737vdwlr5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1ade8e9c697c91b31ad76389a10e95c229eb05359a1dd70358be045199ff77a4
Formbook
3b0674528185c1927af4b44cb1a04cac22137140ba78e74095e816b25d2fca97
Formbook
549de81621fd5e577a164009e14fe791e2099b1a985fe37739801fdf156800b8
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
6c6cd6b0e9f9804b7c28b3ee1d24d339680578067d05b285a9da38d780b8ea59
Formbook
b475b8978e80b7cfc97d95df7e5c7b51efd86ec23d5257ec0c5aa40df7abf30a
Formbook
b4db045a825affb493b9ecf2155047996fe2dd6f85db26a79070c7fd78fa60e9
Formbook
d995c73f2e399b8c2fbb7c2fd6b32d7f91113cc86fa63fe560966f21e26c5ac1
Formbook
f38659e0b47cf0d1c0a61aa87256fdf60d04b2f41a935995b2346849f2f6b246
Formbook
f9a5216358a5932d7ea34c38f7d5e3bb0f3e6001a4a990a0b1af4d151aba2104
Formbook
+ 3'328 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/201228-1hgl7bqere/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
MD5 hash:
f4679cfd74418e90d5343137f769c2cc
SHA1 hash:
7be2cb509f3d56cffa419f6ac5968b2fb466d0bf
Link:
https://www.unpac.me/results/ae10536b-af9c-45fe-bad7-9bbe36fcf27c/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/ae10536b-af9c-45fe-bad7-9bbe36fcf27c/
SH256 hash:
53d2e10614c7cb1064ea0a77279d078b020b58c0174f1a8cdb592f9c9d7607dc
MD5 hash:
c106f1e4f37f0b253cdd7f727a302f38
SHA1 hash:
9184ea796c98c54ff40b3da24d52f0455667c43b
Link:
https://www.unpac.me/results/ae10536b-af9c-45fe-bad7-9bbe36fcf27c/
SH256 hash:
785f0830e384d41d265e881a364c7ac80ca46f26887685347305e50710bc5174
MD5 hash:
897d0e6a772aa1ddabaa663884cfc459
SHA1 hash:
cdfc119d8612364e5f6ba0a0823d821253e09ae8
Link:
https://www.unpac.me/results/ae10536b-af9c-45fe-bad7-9bbe36fcf27c/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ae10536b-af9c-45fe-bad7-9bbe36fcf27c/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b0155e4e413d4a45e1a255861740a24f1c6ac1f0dc521f63750ce8de45257439

Formbook

Executable exe fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b

(this sample)

  
Dropped by
MD5 e92a573a75ac0c9ab28a1f4b5fec6197
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b0155e4e413d4a45e1a255861740a24f1c6ac1f0dc521f63750ce8de45257439

Comments