MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
SHA3-384 hash: 465324c4fe2a9ee1e82229fac5074e7b8068283fa31720de3f33a04911e2e3bcf5d218e3a64cb02cddf96a930d72c0b3
SHA1 hash: f18a525c3834a3f82784b7444437d44270eec3e0
MD5 hash: 45920c50ec843f13a7f798c11c1dceb2
humanhash: mars-colorado-muppet-april
File name:payment advice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:698'368 bytes
First seen:2020-10-08 17:43:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Ey3ymQzsY9scwRY+NyfSLaiLBxhTrtZNWUDWcg8/jFEnAGNXJida3izuWNXf:Ryp+Bm+8qD9XTZZQbu2AGZJgL
Threatray 2'375 similar samples on MalwareBazaar
TLSH 3CE4120176B81B23ED3E43F9E6888461A3B292337427E79A8DD875E31AD77018585FC3
Reporter abuse_ch
Tags:exe FormBook HSBC


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.airtechnical.nu
Sending IP: 45.95.169.154
From: HSBC ADVICING SERVICE <info@italflexo-cz.com>
Subject: Payment Advice - Advice Ref:[G51177596632] / Priority payment / Customer Ref:[FCM TRVLS 1005]
Attachment: payment advice.zip (contains "payment advice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69321/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485864
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295377 Sample: payment advice.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 31 www.kybtv.com 2->31 33 kybtv.com 2->33 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 11 payment advice.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\payment advice.exe.log, ASCII 11->29 dropped 53 Injects a PE file into a foreign processes 11->53 15 payment advice.exe 11->15         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 Queues an APC in another process (thread injection) 15->61 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.accentcapricious.life 103.254.121.22, 80 CTCXChubuTelecommunicationsCompanyIncJP Mongolia 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 14:39:33 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ath4naywpicgejlm35vg6knohzriwcp7bvqffnlj5x5qvwrurqia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0d5af6ad459d48db0b27ab6ab4584191097bfc33c4f2475ce1b3a66e523e2bef
Formbook
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
Formbook
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922
Formbook
691e25f141a0389dec22a7f9027a57ff7242cd2918f525e3c22e81c863f803c9
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
Formbook
fd9f113a78e94fc975ba4e5e940c91395e63b5ea904e7690fbad9f569b6da1b8
Formbook
+ 2'365 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201008-wekyc76g8n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
MD5 hash:
45920c50ec843f13a7f798c11c1dceb2
SHA1 hash:
f18a525c3834a3f82784b7444437d44270eec3e0
Link:
https://www.unpac.me/results/df0ba028-753e-42ac-994d-7a397b8918e6/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/df0ba028-753e-42ac-994d-7a397b8918e6/
SH256 hash:
fbe83a0080ce8ff333a52bf0f7ba4f06957b569939661096fad990c291fe395a
MD5 hash:
ef4c260ca16760ea02f2cf685c1be13f
SHA1 hash:
a38bf786f51117fd1496ba02f7c572714defe5ff
Link:
https://www.unpac.me/results/df0ba028-753e-42ac-994d-7a397b8918e6/
SH256 hash:
cbb8970f7cd99118d5b9f0737e2354813812fd6444bec31ae44abed5db9ca13b
MD5 hash:
8b4c49dfc9a817acca1550125fcea7bd
SHA1 hash:
56ab5f64522dba56921ca7f4166a8c004fe53889
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/df0ba028-753e-42ac-994d-7a397b8918e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 45f68131d09f00e218bd7ab2504d1033c601a2a34f87fca389ece4c8fefe1d93

Formbook

Executable exe 04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10

(this sample)

  
Dropped by
MD5 67fb37080627c879b3074879302867e1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69321/
  
Dropped by
SHA256 45f68131d09f00e218bd7ab2504d1033c601a2a34f87fca389ece4c8fefe1d93

Comments