MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
SHA3-384 hash: d8cdb3c49ee1f24de76409a9ea94e8b109ff469431300ea44bd2d71d0d8923110066d55097c8e0446e0d91111372ad0d
SHA1 hash: 21c6aef008ef3ac6a90d1a3057fc3f04e4b41a28
MD5 hash: 38573fc523733971a06b6062d0238f1a
humanhash: stairway-black-ceiling-wolfram
File name:Chevron (Thailand) Limited - Quotation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:616'960 bytes
First seen:2020-11-06 07:35:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:WpjDwYg3G8AYzGdeZqKBEBxEuRKl+BPQhRFmLMZPv4tngpvi:Wpngn9T5BEDYmutZhi
Threatray 5'631 similar samples on MalwareBazaar
TLSH A3D4018EE35873D8E5A7277142FC58A08B23F666523292DE1C0ED40F46F76B4B613792
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Pairoj Kaweeyanun <cbutner@chevron.com>
Reply-To: k1@ecg-ingenieria.mx
Subject: Quotation Request
Attachment: Chevron Thailand Limited - Quotation.zip (contains "Chevron (Thailand) Limited - Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/522144
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 310172 Sample: Chevron (Thailand) Limited ... Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 31 www.moneytransfergas.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 11 other signatures 2->45 11 Chevron (Thailand) Limited - Quotation.exe 3 2->11         started        signatures3 process4 file5 29 Chevron (Thailand)...- Quotation.exe.log, ASCII 11->29 dropped 55 Injects a PE file into a foreign processes 11->55 15 Chevron (Thailand) Limited - Quotation.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 seniorngr.com 198.54.115.31, 49755, 80 NAMECHEAP-NETUS United States 18->33 35 stylablemention.com 34.102.136.180, 49759, 80 GOOGLEUS United States 18->35 37 4 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 msdt.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 05:32:09 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjb4pxa473ikwxvk2fbanmhpfabtrsdfvo3rfpdnm563o7mfbxga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
000d893715e565a925e4dd98feb6b28461a6b1c51dc3a5ac0ea48b407ac85653
Formbook
0375352dd935ee474c225b1e7c35707a10f7100b0167bbabd5a497dbb34777cf
Formbook
0492389f51ea478d6b922d2e41b7f8bf54c7231ed062bae93b8ede289926db7f
Formbook
4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f
Formbook
5d23faa05258eb51b196fee00263dc5e4556a37301d312563843a7ac8494ee19
Formbook
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
Formbook
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
c62da41bbe27ef2aeaf2bcadd8e701bf7f2c6878445aad9158298b42c9f54b21
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
+ 5'621 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201106-mwc5gdgll6/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.goldenlinkpowerdeals.com/esp5/
Unpacked files
SH256 hash:
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
MD5 hash:
38573fc523733971a06b6062d0238f1a
SHA1 hash:
21c6aef008ef3ac6a90d1a3057fc3f04e4b41a28
Link:
https://www.unpac.me/results/9e54ae10-f538-479b-ba5e-1acc05285513/
SH256 hash:
b589b5f426505f57bd437ba4a32778d94931c68b41b91f0f1dfa376b13dd4603
MD5 hash:
8807265be103a5481e141340d34bbf89
SHA1 hash:
3439ebec76223d457c8a0ddde8c95a256c8b2c29
Link:
https://www.unpac.me/results/9e54ae10-f538-479b-ba5e-1acc05285513/
SH256 hash:
bf582a70a62278b60b959580139de38e6f83328fb6f2ce64978beeef65238497
MD5 hash:
4b08235de95346e17350abe89022934a
SHA1 hash:
b2b70e0e660d122c89baa9f0b685dc504552e460
Link:
https://www.unpac.me/results/9e54ae10-f538-479b-ba5e-1acc05285513/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/9e54ae10-f538-479b-ba5e-1acc05285513/
SH256 hash:
7ef2a597a5b46a2e2511fd29ec344fb6e46583800513811ab96970d2152bef23
MD5 hash:
14a2e7847436adc727b382c22e60f8c3
SHA1 hash:
7a6b823da8c0d6549a48f9a5c8cc3c234fef75cd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9e54ae10-f538-479b-ba5e-1acc05285513/
Parent samples :
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
0dbc9167676da74b238155c1234be3891b57cb15441b8f985dfdf295bc858a41
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
c7a440c994771410363293be06d6af76be0ded9c4a706d4b2b16b333187942bb
f85b33feed6b4f002c008c9ab364290fea609966cde31700196eb924f2618c8a
1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 503e32b4f29a5415e9f0a96055fc52ec3f79842fabdf71f1aec6976935853d85

Formbook

Executable exe 1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc

(this sample)

  
Dropped by
MD5 af8559e8cc757dddd1fecbfda0e04ecd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 503e32b4f29a5415e9f0a96055fc52ec3f79842fabdf71f1aec6976935853d85

Comments