MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd
SHA3-384 hash: 1cf1627581bda591c6ba2b2e853f3cd66f9a2a6478e67018fc15b8efaf45000c8c70e081f9c93da8de89d93d1f13e3e0
SHA1 hash: 893e277992132d1d033e84faabc2f114a123780d
MD5 hash: 79e6f99a25e5491a1bb7d44fcdd788fd
humanhash: muppet-nevada-lake-diet
File name:RFQ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:742'912 bytes
First seen:2020-10-20 08:33:06 UTC
Last seen:2020-10-25 19:53:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:BnGRBH9ALaVEzIwLj0VW4gfh2e87L9A1GKZHNYPzod3v59y/ZDWXA1NlZQQ6xuAP:BGRBH9tCx0be4A1GUKzodryxDW8ZQQ6X
Threatray 2'566 similar samples on MalwareBazaar
TLSH 90F4F1004954AAF3C97C8FF9742B04184F712197ABA2E52B2DEC7BD80ED5B105A7C6DB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server.miyoshi.biz
Sending IP: 111.235.136.178
From: Natalya Povolnova <office@infintetadeltd.com>
Reply-To: sjrkintluea@gmail.com
Subject: Request For Quotation(Urgent)
Attachment: RFQ.arj (contains "RFQ.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73354/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497321
Signature
Binary contains a suspicious time stamp
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 300851 Sample: RFQ.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 31 www.dogruparti.xyz 2->31 33 redirect.natrocdn.com 2->33 35 natroredirect.natrocdn.com 2->35 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM_3 2->47 49 5 other signatures 2->49 11 RFQ.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\RFQ.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 RFQ.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 37 forimoconsulting.com 184.168.131.241, 49739, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->37 39 www.azadvisors.com 52.58.78.16, 49762, 80 AMAZON-02US United States 18->39 41 2 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 explorer.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd/
Threat name:
ByteCode-MSIL.Trojan.Agentesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 01:39:06 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=apdybbwqiyy7aepelwtsv7dwgvcffmlcywcepnxof3ohlqk6ddoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0713f11756d56d7b064989ad057ab768f0cbef644ee45b96f1ef2a9daefd0eaa
Formbook
180c1029f70e0bc02acbd67fb8f8628b16dc896b6894fff0c1527247f1adaa85
Formbook
3f8bef60842d6aa5827f315301d8b8b116a0938ed26f9da7eda3db51c104efb4
Formbook
4ab3ba278dacd218a4308aa0074105546a52256e029a29d67f8291facf25fd43
Formbook
8f5161a12c4c8522e00196b39b3ee82c620da9914f8b861d6eee31cb8662d18b
Formbook
a2c689776ac0293d25b03d0c864f9c5a5314d06da7a126682350939196eb16e6
Formbook
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
Formbook
b9aac9e8bc1b19d0bdecac73e757f9d3bbcf51f9b5d883f34a3ecad591716582
Formbook
da8c31096f9e2ffc9a1fea4a63d6440cfda55349845300b4f333a02317c73dde
Formbook
f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978
Formbook
+ 2'556 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201020-aj5nmk52ge/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.208ky.com/nl8/
Unpacked files
SH256 hash:
03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd
MD5 hash:
79e6f99a25e5491a1bb7d44fcdd788fd
SHA1 hash:
893e277992132d1d033e84faabc2f114a123780d
Link:
https://www.unpac.me/results/0a69af7d-8aa9-40d8-9e80-f6518c86c3eb/
SH256 hash:
0540af597ce03c0d83c817a0789b046ff400fd6011a4ba487b08d2fa0f6f8e4e
MD5 hash:
a6e9c03a697b0dbd90510b7af0e5dfca
SHA1 hash:
123766251fd81109a67bf884d833ed209b280ec0
Link:
https://www.unpac.me/results/0a69af7d-8aa9-40d8-9e80-f6518c86c3eb/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/0a69af7d-8aa9-40d8-9e80-f6518c86c3eb/
SH256 hash:
8b13cd21c6fb12a1cb9e57aba89c3bc8dfafc968a141b1e740433fab655294eb
MD5 hash:
e516efc4307f30ade4c58099085fe46a
SHA1 hash:
5fa7fe7476a8cad37e3c65c9567ff2ac73b59a44
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0a69af7d-8aa9-40d8-9e80-f6518c86c3eb/
Parent samples :
180c1029f70e0bc02acbd67fb8f8628b16dc896b6894fff0c1527247f1adaa85
4ab3ba278dacd218a4308aa0074105546a52256e029a29d67f8291facf25fd43
3f8bef60842d6aa5827f315301d8b8b116a0938ed26f9da7eda3db51c104efb4
b9aac9e8bc1b19d0bdecac73e757f9d3bbcf51f9b5d883f34a3ecad591716582
a2c689776ac0293d25b03d0c864f9c5a5314d06da7a126682350939196eb16e6
f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978
da8c31096f9e2ffc9a1fea4a63d6440cfda55349845300b4f333a02317c73dde
0713f11756d56d7b064989ad057ab768f0cbef644ee45b96f1ef2a9daefd0eaa
8f5161a12c4c8522e00196b39b3ee82c620da9914f8b861d6eee31cb8662d18b
03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

arj c4c2b15e69a6e5b1d25a9139b57fc1e04561f8b6bb8f1a7aa9d0379229b55b69

Formbook

Executable exe 03c78086d04631f011e45da72afc76354452b162c58447b6ee2edc75c15e18dd

(this sample)

  
Dropped by
MD5 311859bc9ad2c8fa56169e890c0c2cb3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73354/
  
Dropped by
SHA256 c4c2b15e69a6e5b1d25a9139b57fc1e04561f8b6bb8f1a7aa9d0379229b55b69

Comments