MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7b8c2b1de957151098bf5806ac0b4a90eeb9f61dd211176072b3b3ba21c23cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7b8c2b1de957151098bf5806ac0b4a90eeb9f61dd211176072b3b3ba21c23cc
SHA3-384 hash: 80456b2d0448b5aab6d283b8c06ea20af88861ad9f4ef833b7d43104a59d6989c7a8dd7cdf4516fb84820d11d4b72be2
SHA1 hash: cead525e76e08a06930eb6bffd64c60240c6699e
MD5 hash: 32ce4c68c9ff06c3d1f091c1585d6bbb
humanhash: blossom-equal-magnesium-louisiana
File name:Request_for_Quote_D2AQ_SCAN-325_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:520'192 bytes
First seen:2020-08-12 15:43:08 UTC
Last seen:2020-08-12 17:00:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:0I1B8yxLfRltLZ1Gr7Q604leEqWCjfsWuoOVlKOG7:0wB8yxjH1G3Q65EEW7seOC
Threatray 6'492 similar samples on MalwareBazaar
TLSH B3B4CF2976949D01C27A8B36CADA840447FAAC066A36DB1E7FDB339C0D117B35F0259F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: manda.com
Sending IP: 45.127.62.67
From: xiaoyu.Zheng@djmillison.com
Subject: Re: 204-RFQ | EXW-CHINA TO ONTARIO BY AIR - Reg
Attachment: Request_for_Quote_D2AQ_SCAN-325.gz (contains "Request_for_Quote_D2AQ_SCAN-325_PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44291/
Detection(s):
SecuriteInfo.com.Backdoor.MSIL.Bladabindi.417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/423122
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b7b8c2b1de957151098bf5806ac0b4a90eeb9f61dd211176072b3b3ba21c23cc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 11:50:14 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w64mfmo6svyvccml6wagvqfuvehoxh3b3uqrc5qhfm5txiq4epga._file
Verdict:
malicious
Similar samples:
179043e8eb7c06144c67f58b2c2900ad10303862c0e5cd7e1fe5a4faf853f103
Formbook
20000a9d0078fa18b60d9ad52d36b4f5dfa77d2f74866e8793ee0085ab0c9964
Formbook
464ffb9a16b269537c0b4475ebe897cc2bb1e0e8d35b0da24aaf21d677a5bf02
Formbook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
Formbook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
Formbook
822c61d76c4a9dc067978f8537aba073e1d90ccae770b89fc88993edde81386a
Formbook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
Formbook
9dc9ad5a5c2a56c7155bc775dc4b1d53c995f1498678a1ddb5d23010dd11c889
Formbook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
Formbook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
Formbook
+ 6'482 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200812-bl73est8q2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/f4m/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7b8c2b1de957151098bf5806ac0b4a90eeb9f61dd211176072b3b3ba21c23cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1d8ba9f05721aa1039413ca4ac242793183549711b458db8220262a6a54a682d

Formbook

Executable exe b7b8c2b1de957151098bf5806ac0b4a90eeb9f61dd211176072b3b3ba21c23cc

(this sample)

  
Dropped by
MD5 4ab5774998ab2741b1605c976310f485
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1d8ba9f05721aa1039413ca4ac242793183549711b458db8220262a6a54a682d
Cape
Cape
https://www.capesandbox.com/analysis/44291/

Comments