MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fb8b10c465ba8cfa4900993a2baefaed4a94499838719500a3a0bfc4e7a0656. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fb8b10c465ba8cfa4900993a2baefaed4a94499838719500a3a0bfc4e7a0656
SHA3-384 hash: 0a198b7d3593d85cbe7d973fbee823bde38c5bbcf00242dda8302e811d51db525647e46e6e6c1db1b17fe27073c70357
SHA1 hash: 5517e8d4005aab179c937995d2961314437b0403
MD5 hash: f436a0cd3737f12c4a72187cb6d5152a
humanhash: kentucky-winter-victor-oklahoma
File name:BCP SWIFT RNP094546505.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:755'712 bytes
First seen:2020-10-23 06:25:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:W3ytNK5l27VKTw0bqhQr7Y+ixLR3xQhQRurkpH0+DWN3IAAemqbcpF1P:W38K5s7VKTwSzr23xQhG3eg6AMuF1
Threatray 2'637 similar samples on MalwareBazaar
TLSH 74F4F178025AC985C3BE0438D47596FD56B99CF9FC0AC6478A97BC8C78373F963290A1
Reporter abuse_ch
Tags:exe FormBook Outlook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: NAM11-CO1-obe.outbound.protection.outlook.com
Sending IP: 40.92.18.91
From: David De La Oliva Falla- Scotia Bank <davidtanis@hotmail.com>
Subject: FWD: Re: OUTWARD DEBIT**Payment Advice RNP094546505
Attachment: BCP SWIFT RNP094546505.rar (contains "BCP SWIFT RNP094546505.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74904/
Detection(s):
SecuriteInfo.com.ArtemisF436A0CD3737.7943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507727
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302984 Sample: BCP SWIFT RNP094546505.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 37 www.godisforever.com 2->37 39 godisforever.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 3 other signatures 2->53 11 BCP SWIFT RNP094546505.exe 2 2->11         started        signatures3 process4 file5 35 C:\Users\...\BCP SWIFT RNP094546505.exe.log, ASCII 11->35 dropped 57 Writes to foreign memory regions 11->57 59 Maps a DLL or memory area into another process 11->59 15 RegAsm.exe 11->15         started        18 cmd.exe 1 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 2 other signatures 15->73 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        26 choice.exe 1 18->26         started        process9 dnsIp10 41 www.abzahri.com 23.83.50.234, 49769, 80 LEASEWEB-USA-LAX-11US United States 20->41 43 twittletweet.com 34.102.136.180, 49751, 80 GOOGLEUS United States 20->43 45 3 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 28 help.exe 20->28         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fb8b10c465ba8cfa4900993a2baefaed4a94499838719500a3a0bfc4e7a0656/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 23:09:04 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b64lcdcgloum7jeqbgj2foxpv3kksrezqodrsuakhif7ytt2azla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
Formbook
1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1
Formbook
23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5
Formbook
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
76e0bf03767dfd6316810d96d2404daf16397a0ef3b90daf96ad67bc461209a8
Formbook
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
Formbook
f397c24f2c684fdcd51dc9954c641d013437a78e24a5cf8c8778196a66a60372
Formbook
+ 2'627 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-hhpgsnjt4j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.wecom.chat/c236/
Unpacked files
SH256 hash:
0fb8b10c465ba8cfa4900993a2baefaed4a94499838719500a3a0bfc4e7a0656
MD5 hash:
f436a0cd3737f12c4a72187cb6d5152a
SHA1 hash:
5517e8d4005aab179c937995d2961314437b0403
Link:
https://www.unpac.me/results/59e47c58-f2a9-4c06-acbf-203a677902aa/
SH256 hash:
d3c215ade3974f3d4af1e65a772deb0f71e0ccaaecc8814ab3fa3fbae75b650d
MD5 hash:
9ca65623bf66b177b1ee9f7f950da910
SHA1 hash:
d6c54f957dadc4f9fc69c8200d9967f30ce89aa5
Link:
https://www.unpac.me/results/59e47c58-f2a9-4c06-acbf-203a677902aa/
SH256 hash:
c9e18528dcfdd46f3d9e87cd2189efa929b8ff0393c271cd81ea1d78439c0f4e
MD5 hash:
85dc21cbc03bcc7daefb376e3d975073
SHA1 hash:
e692e779623bb987434a9be48f467a72da7a2dfc
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/59e47c58-f2a9-4c06-acbf-203a677902aa/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f0e49ab19ca2e330275d4269472a4186301e917ae86e66870f264a771af55d66

Formbook

Executable exe 0fb8b10c465ba8cfa4900993a2baefaed4a94499838719500a3a0bfc4e7a0656

(this sample)

  
Dropped by
MD5 81702c11e1b377c229bde8e0c1e8d651
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74904/
  
Dropped by
SHA256 f0e49ab19ca2e330275d4269472a4186301e917ae86e66870f264a771af55d66

Comments