MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225
SHA3-384 hash: 68ef76b80f75698b6f4cc965f1e5c0f69e82e7ec6c6b8ec4d6b4598136d4a8e5bbf1dcd5c4543fa7063e203b901d39ad
SHA1 hash: 4a113d16dd246b86a86eecb564c749965f6ae566
MD5 hash: c1cbce96c6d4c9f68a9a2534bca16caf
humanhash: fifteen-two-floor-oven
File name:Amacon Company profile & about us.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:581'120 bytes
First seen:2020-10-23 06:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:PxUmgYZFA/mTmcI43pjQY7993Kg5Sp51DnlcwsXG2:fZFzTk4pc0fKzPlcws2
Threatray 2'594 similar samples on MalwareBazaar
TLSH B2C4129C3224B3EFCC97C0719F982D79EA91A5BB87174203902B55DEA94E59BCF060F1
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.pollyarm.xyz
Sending IP: 157.230.63.67
From: Amacon Makgoka<amacon.makgoka@hotmail.com>
Subject: Re: 回复: Request for Quotation with reference: BINIF0865
Attachment: Amacon Company profile about us.rar (contains "Amacon Company profile & about us.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74914/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507754
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302997 Sample: Amacon Company profile & ab... Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 33 www.helpcreditscore.info 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 12 other signatures 2->47 9 Amacon Company profile & about us.exe 6 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\...JisCLqQYeSmE.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\Local\...\tmp86C9.tmp, XML 9->29 dropped 31 Amacon Company pro... & about us.exe.log, ASCII 9->31 dropped 57 Injects a PE file into a foreign processes 9->57 13 Amacon Company profile & about us.exe 9->13         started        16 schtasks.exe 1 9->16         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process9 dnsIp10 35 www.myvipfa.com 199.34.228.159, 49736, 80 WEEBLYUS United States 18->35 37 www.brunacarla.com 103.224.212.221, 49762, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->37 39 18 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 24 cmmon32.exe 18->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 17:14:26 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2ovx2nnqu3hi75ba5iupxdbsywqb7ykcoqgss6zxsmunsknwisq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00c31ece69362a5cccc665bc1d57b48240d5bf53cbb159cb72b26454849e798e
Formbook
018bc083a823092a92d1c114dd649d85f63b19feda836cf32b44bc1e5c2f3aa9
Formbook
1aa1c6c264025cc567e70f6ca867a0c6618bd2eb2ec3312730c68a41c0d7e076
Formbook
49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3
Formbook
5a744c8440f5d46b0bde9abe9086a5f1ee8c1a54104811fee10179d441af5508
Formbook
754b53cd03dcc7c3d854a9628e5d01447fd778aae73f7890b5f7527ad4bd76ea
Formbook
777d646e09cf725986f3617d40d5bca943d077015759e346e3e8f5314cac13ce
Formbook
7b289ead031b7f476e07b8637bfb3749554253968060ecdd36046948f6ae5f8e
Formbook
b6138e4d197c59380c87723cb54c9cf7d5e4600a4273c98723470a57a591edda
Formbook
f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe
Formbook
+ 2'584 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-x9yddxkz12/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flipgired.com/aqu2/
Unpacked files
SH256 hash:
069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225
MD5 hash:
c1cbce96c6d4c9f68a9a2534bca16caf
SHA1 hash:
4a113d16dd246b86a86eecb564c749965f6ae566
Link:
https://www.unpac.me/results/f19833c6-b099-4aeb-8d80-d11bc99cf3c7/
SH256 hash:
b6c86537aa42c89700699a049973f6c50d0da819e3f07369c203eb229d18cff3
MD5 hash:
a89083bd7b6221ef9c19a7a2cf17b0b5
SHA1 hash:
6a85c037f4825f0bf14eabc7e203114df8811e6f
Link:
https://www.unpac.me/results/f19833c6-b099-4aeb-8d80-d11bc99cf3c7/
SH256 hash:
e7649236134abf9f0a89f90630cb457fed23551d54b298259a6925f6a638d06b
MD5 hash:
128e40ac3ea4e9a88c69c2a84d1a018e
SHA1 hash:
892d5e2aa3ea437a1f30dbf8a21d850cf3842925
Link:
https://www.unpac.me/results/f19833c6-b099-4aeb-8d80-d11bc99cf3c7/
SH256 hash:
fb8b9188a802dc4c9142e4bf6cb89b857524dbb66c47b73d3da8e0f6ce4c3a83
MD5 hash:
bfdbb26f7dbd069633a9e83c438c72b2
SHA1 hash:
54183d95c570211ea46e2d88c13e3f563d9647a1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f19833c6-b099-4aeb-8d80-d11bc99cf3c7/
Parent samples :
f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe
28e6b82a33e2b7e7ce02e684b90aae380c6e4ec244d111a5d16833ddf288981b
069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 287bdb1a36a2c5b274c04a594663837e938782eec2821fc176803b959ae40bb4

Formbook

Executable exe 069d5be9ad8536747fa1075147dc61962d00ff0a13a0694bd9bc9946c94db225

(this sample)

  
Dropped by
MD5 faa19b5f0b9cb1441eb59f236a784294
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74914/
  
Dropped by
SHA256 287bdb1a36a2c5b274c04a594663837e938782eec2821fc176803b959ae40bb4

Comments