MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9
SHA3-384 hash: 64beb9d69c3b1ecd4cf5727d3d962ae8315ac009e4ca8c371eda80b55ce17b189d5061cb85d459604163c1924fea6d0e
SHA1 hash: e2d0096b5c6118ce2b66a794276e01603b7e7771
MD5 hash: e04c803a304194fe916ca43591eb5fca
humanhash: delaware-oregon-carpet-blue
File name:purchase list 02.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:456'704 bytes
First seen:2020-10-02 09:27:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:mBcHkocFh3zhOKdLWnuYBH2+koto0BnCXmuUb:LdUVhOKdSrBW+kon3
Threatray 2'257 similar samples on MalwareBazaar
TLSH E5A4CF3D6698D717CD7E427514701308B1F1D12A2221E75DEFFC50BE26E0B72AB326AA
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail1.classsnk.com
Sending IP: 128.199.3.178
From: iwis@salab-druid-2.localdomain, drive@salab-druid-2.localdomain, systems@salab-druid-2.localdomain, LLC <Jared.Enas@iwis.com>
Reply-To: Jared.Enas@iwis.cp
Subject: Purchase order 45347212
Attachment: purchase list 02.zip (contains "purchase list 02.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67704/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480103
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292489 Sample: purchase list 02.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 39 mksso-real.com 192.236.177.161, 49760, 80 HOSTWINDSUS United States 2->39 41 www.shroomsconnect.com 2->41 43 2 other IPs or domains 2->43 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 14 other signatures 2->51 8 purchase list 02.exe 1 7 2->8         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\YKTpXz.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\tmpAA7E.tmp, XML 8->35 dropped 37 C:\Users\user\...\purchase list 02.exe.log, ASCII 8->37 dropped 53 Disables Windows Defender (via service or powershell) 8->53 55 Injects a PE file into a foreign processes 8->55 12 purchase list 02.exe 8->12         started        15 powershell.exe 25 8->15         started        17 powershell.exe 23 8->17         started        19 13 other processes 8->19 signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 12->57 59 Maps a DLL or memory area into another process 12->59 61 Queues an APC in another process (thread injection) 12->61 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 10 other processes 19->31 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 07:30:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bj4hlpoqeahhlgt7yhhatkhtd7pvsuegracgfhgcygh25hcqd7uq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
209a9092f39d420c7a9a9af3c8bae1183639ceb8089b5f07eca30db7b66f9fc6
Formbook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
33500d82b580ebcc34521dd70217ba0cf976d4708f6d9d413388aae64317b43d
Formbook
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
Formbook
3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150
Formbook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
Formbook
6612e640d15ed26414fc5c288b9bb7050db90517febb11d4b5145fb8d84441b9
Formbook
6eaef969b84860514d4fe3fdc448e2bb3d8ec071b19ad3cb8fce053cf0925bc8
Formbook
7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7
Formbook
cedead5dd0528f69da0617580afc0bcb6dd52eb05ad35dc2f24ec45179851e62
Formbook
+ 2'247 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201002-re6vaxek1n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Windows security modification
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Modifies Windows Defender Real-time Protection settings
Malware Config
C2 Extraction:
http://www.mscast03.info/cx0/
Unpacked files
SH256 hash:
0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9
MD5 hash:
e04c803a304194fe916ca43591eb5fca
SHA1 hash:
e2d0096b5c6118ce2b66a794276e01603b7e7771
Link:
https://www.unpac.me/results/b1352a2b-6997-43ee-8b88-72ee1ba523b4/
SH256 hash:
cad6b8e65a800bd567cb29ced465959a84736819838cc9a82b238f29b66bae5d
MD5 hash:
345a717c1dc60341c573b5da494edff2
SHA1 hash:
77e59bbc675a3aadbd26aeaa860722dbd03772be
Link:
https://www.unpac.me/results/b1352a2b-6997-43ee-8b88-72ee1ba523b4/
SH256 hash:
6f804702c2bb320a53a814c5c78a5027cf98344cb4b0b3d462a3107aadb333aa
MD5 hash:
1e377dfd2a61237dadbea75c309e3b8b
SHA1 hash:
94fc84cd8a5b564995495cc761ecff4acd771d34
Link:
https://www.unpac.me/results/b1352a2b-6997-43ee-8b88-72ee1ba523b4/
SH256 hash:
108e1552762d1d1fb48fe198362ed286bd52b259e05a08b841665beaae3d00f5
MD5 hash:
05866e531819bcae3bc2e67e30641d39
SHA1 hash:
d7d204c5ce25a44cb7aaffadc7c50a524a61048d
Link:
https://www.unpac.me/results/b1352a2b-6997-43ee-8b88-72ee1ba523b4/
SH256 hash:
5b3187cab1bcfdc847b20d3d07c93da63725524dca746e9360bbfa6cf74170ba
MD5 hash:
06e0a11653b9c898b692417b69e0bd9c
SHA1 hash:
9c797257b1b38e71d0a13467c1647754bb70dcc7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b1352a2b-6997-43ee-8b88-72ee1ba523b4/
Parent samples :
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9
25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 0c5268e859ea956ae8fdf1219bd6b4bdf1f3f9cdb7c43e4b10932105d8261861

Formbook

Executable exe 0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9

(this sample)

  
Dropped by
MD5 3452a6d55f5221137efc039bff911086
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67704/
  
Dropped by
SHA256 0c5268e859ea956ae8fdf1219bd6b4bdf1f3f9cdb7c43e4b10932105d8261861

Comments