MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708
SHA3-384 hash: dfd0084a84e187bfd79d1dd4271d946ccb3476eb9e74dd147f29e52e644993f9c1cccf5447f9c149eb6404b15f1c893e
SHA1 hash: 88c0f62af95c53b0a4d1f2d9422c9016490851ed
MD5 hash: 39812fe18840e436a74aff55785f08d4
humanhash: oxygen-double-skylark-artist
File name:Statement for due invoices.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'044'480 bytes
First seen:2020-10-21 07:04:08 UTC
Last seen:2020-10-25 18:51:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:EhWzuFgEj7MFW8FHhNX1ejJsfk1iaLvOA1GUKzod:daJ7MFFxxAvOANKzo
Threatray 37 similar samples on MalwareBazaar
TLSH 1D25CF98329075AFC65BCE339A681C54EA207C67631BC247902336ED9A2D6CBDF145F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: condor3828.startdedicated.com
Sending IP: 148.72.158.138
From: CookMedical AR Team <financemail@nom-uk.com>
Subject: Cook Medical Statement for due invoices
Attachment: Statement for due invoices.zip (contains "Statement for due invoices.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73872/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44131431.24189.8059.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505302
Signature
Binary contains a suspicious time stamp
Contain functionality to detect virtual machines
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301675 Sample: Statement for due invoices.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for dropped file 2->28 30 Sigma detected: Scheduled temp file as task from temp location 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 11 other signatures 2->34 8 Statement for due invoices.exe 6 2->8         started        process3 file4 22 C:\Users\user\AppData\...\iPiuyFhOmJALV.exe, PE32 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmpABDD.tmp, XML 8->24 dropped 26 C:\...\Statement for due invoices.exe.log, ASCII 8->26 dropped 11 Statement for due invoices.exe 2 8->11         started        14 schtasks.exe 1 8->14         started        process5 signatures6 36 Moves itself to temp directory 11->36 16 cmd.exe 1 11->16         started        18 conhost.exe 14->18         started        process7 process8 20 conhost.exe 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 20:04:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=buwpmk4upft5z3hhde3p45wujub5s7yry3wfqddh6m3wdkm664ea._file
Verdict:
malicious
Similar samples:
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
Formbook
3528262d84ec15b8f88df39fe817d32a773274d53541ceee13c983c81b15fcf6
Formbook
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
Formbook
54e9e8ac005eba3cd288eac02d69cb77b8b419b5bf00da41f175d40aec919717
Formbook
55416c27dc034735dba35002a4c206b05ab35bc197a56584d2ddba5dad588633
Formbook
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
Formbook
8246f2b18a1592cc2a37c001e2415412f5e63d14220324ae8356981e25a4ba76
Formbook
8c2e43ef586651d691717a853437fcd7c1296598fc2c6a40eb3ddaba91686c36
Formbook
ac2a1a0b8560a6c0305e4d8e4fba8221974f011c5b52a5adec277268d4715f69
Formbook
ea49f722d6874e9b0b754f8116edceee6cdf4b85aa893d1b86053bfc506e5602
Formbook
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201021-5562blypde/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708
MD5 hash:
39812fe18840e436a74aff55785f08d4
SHA1 hash:
88c0f62af95c53b0a4d1f2d9422c9016490851ed
Link:
https://www.unpac.me/results/80f93ec5-83ac-4edd-bfc7-7004a3dac5c5/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/80f93ec5-83ac-4edd-bfc7-7004a3dac5c5/
SH256 hash:
0697c5f24e3c3a38d34f173136a2da7a55fd004d5b326c15538e58d57655ed4b
MD5 hash:
a75948682352a5d65ee2be7eed986513
SHA1 hash:
5d4a54011e086b397ebd54a89d523c714f6c6255
Link:
https://www.unpac.me/results/80f93ec5-83ac-4edd-bfc7-7004a3dac5c5/
SH256 hash:
715fb8f776d48ade5fc9fd7b6563b9e1714e861c9f8973f376d79587b2919ac5
MD5 hash:
387e621dd89d2f137398d83542f56514
SHA1 hash:
c92601a4e37b0f69f22bbdf65d8b4a2fed4724be
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/80f93ec5-83ac-4edd-bfc7-7004a3dac5c5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip d14fb5a79ded18eb113e8ef66c9fdd4fc3e220113cebf1420b3cf5d7b41f4378

Formbook

Executable exe 0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708

(this sample)

  
Dropped by
MD5 2c648e2452d3219d5014a37c0176f26b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73872/
  
Dropped by
SHA256 d14fb5a79ded18eb113e8ef66c9fdd4fc3e220113cebf1420b3cf5d7b41f4378

Comments