MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
SHA3-384 hash:	dfafdcdc6bba7845c7ece0698133364f9959a5022f2b2472003dd9854659c7a05628937830d07b590080afd9e08cbcfe
SHA1 hash:	fc8a3fc1151d29d9210735e50b104e0aff7c3d42
MD5 hash:	51afc3df2bf79ca26430f80604c0640f
humanhash:	magazine-pizza-floor-network
File name:	MTP-성진기공.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	487'936 bytes
First seen:	2020-10-20 08:35:17 UTC
Last seen:	2020-10-26 06:19:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:as+U+xV6HKilmSQ2RLrY0RYqxIik39A1GKZHNYPzodlDDy:asZ+GKiQZ2RvaqxIhA1GUKzodl
TLSH	A1A40224219A6B73E3BE1BF6201D4019C3F5248D7767E6684EE237EA26D1F404FA4D63
Reporter	abuse_ch
Tags:	exe FormBook geo KOR

abuse_ch

Malspam distributing unidentified malware:

HELO: mail-smail-vm46.hanmail.net
Sending IP: 203.133.180.234
From: UTITECH <kwakts@hanmail.net>
Subject: 유티아이테크-발주서 송부의건
Attachment: MTP-성진기공_pdf.gz (contains "MTP-성진기공.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/73365/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/497327

Signature

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-20 02:19:08 UTC

AV detection:

25 of 27 (92.59%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cyx5wnx3xl7rlcoehkou5zys4fpi4er2kyxfnh6o4kg3gc3vmola._file

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201020-emzvx7e1ce/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Unpacked files

SH256 hash:

162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396

MD5 hash:

51afc3df2bf79ca26430f80604c0640f

SHA1 hash:

fc8a3fc1151d29d9210735e50b104e0aff7c3d42

Link:

https://www.unpac.me/results/f0b50125-5109-4a9e-b482-f929aa29a472/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/f0b50125-5109-4a9e-b482-f929aa29a472/

SH256 hash:

f740c5fe52cc4df452f0b40ed505bbdd3678091cba804a8bcbc3c7ccbd5cee14

MD5 hash:

6b355c94e04d93694f4d28e1f7ccf780

SHA1 hash:

4cf9da47c111c6ce6d3c334c8a874664184a10d3

Link:

https://www.unpac.me/results/f0b50125-5109-4a9e-b482-f929aa29a472/

SH256 hash:

4164f6659ed07c2da64b9c7e619cca31a0342267ad6427a131972809117169da

MD5 hash:

c5c92a39f5f3df155cc00d352750979a

SHA1 hash:

4768e47cb129c16c1f90293778d7efc4afc50c84

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/f0b50125-5109-4a9e-b482-f929aa29a472/

Parent samples :

796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz eb08b38ca3e583a48caa99a1f48b707b91dc35824e5368fddf78042927e36cdc

Formbook

exe 162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396

(this sample)

Dropped by

MD5 8c8eb4dd56e83e2e8f6d886b1827ddc8

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 eb08b38ca3e583a48caa99a1f48b707b91dc35824e5368fddf78042927e36cdc

Cape

https://www.capesandbox.com/analysis/73365/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample