MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32
SHA3-384 hash: b270b2a4a8c55d92e45bcc168fc66674b9e95a33eafda55b405bcdc378a200f559a70da3d3f894ff3b8b99e6b2ece61d
SHA1 hash: 456995dd37df8a724e29021eaa6edcfec896627e
MD5 hash: 3f3c3c1f0bc9be5354e220c5f04b1963
humanhash: tennis-missouri-pennsylvania-sad
File name:Factura de clients_0010002345.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:684'544 bytes
First seen:2020-10-07 10:56:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:H5imXfmn0A/HKjYJFHqkkRabB+0fIhWLaHHoNsXPa78ZnJhSqXKcTwtiokC7Cf:H6nqkJFKk/bw0fi2vNsXbhS4tTy
Threatray 2'560 similar samples on MalwareBazaar
TLSH BBE4F1243A94FB8EC51E8F3644554910EBE0D07A534BF387BCD71AEC940E7AD8A362E5
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vxsys-smtpclusterma-04.srv.cat
Sending IP: 46.16.61.65
From: Administracion <duldi@duldi.com>
Reply-To: duldi@duldi.com
Subject: Factura de Clients
Attachment: Factura de clients_0010002345.rar (contains "Factura de clients_0010002345.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68903/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484047
Signature
Binary contains a suspicious time stamp
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294467 Sample: Factura de clients_0010002345.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 7 other signatures 2->43 10 Factura de clients_0010002345.exe 3 2->10         started        process3 file4 27 C:\...\Factura de clients_0010002345.exe.log, ASCII 10->27 dropped 13 Factura de clients_0010002345.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 thepositivemisanthrope.com 34.102.136.180, 49751, 49753, 80 GOOGLEUS United States 16->29 31 sweetsistersmiami.com 160.153.136.3, 49752, 80 GODADDY-AMSDE United States 16->31 33 4 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 wscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 10:47:41 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djfpupq5ccd4e7t5jrzevb3bd57nsao77odjipxqluibkyklbyza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
5abc963a4cbaaee6582d5db264da8b2cb0c5a760115047a8df1e629c48dfc6e9
Formbook
5c0c2689256894521ac0012bc464ad7e0d93c25c60b9df3dfe26b35d85d1713a
Formbook
63d643f5f17f5e621ef22e4c05a5d92c519376d0043c0958284d34ae206c0161
Formbook
691e25f141a0389dec22a7f9027a57ff7242cd2918f525e3c22e81c863f803c9
Formbook
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
de4679b52c5e51db87ae9671ec2b25364dd62641377bfbfd6d5cf67e7741598c
Formbook
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
Formbook
+ 2'550 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201007-3ac5wylke6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fullyey.com/mye/
Unpacked files
SH256 hash:
1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32
MD5 hash:
3f3c3c1f0bc9be5354e220c5f04b1963
SHA1 hash:
456995dd37df8a724e29021eaa6edcfec896627e
Link:
https://www.unpac.me/results/d46a1992-8380-4b84-9e7b-50c8b79b2964/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/d46a1992-8380-4b84-9e7b-50c8b79b2964/
SH256 hash:
096444f0a00a84d1bbab7533cb44d6fe6a1068fa606d4a70d5956e11e9970d00
MD5 hash:
3c993f7ab9fb970bde549e8d15b167f1
SHA1 hash:
984e098d8f87366a19a24beb0eb9ba4fb6ad67f7
Link:
https://www.unpac.me/results/d46a1992-8380-4b84-9e7b-50c8b79b2964/
SH256 hash:
87e36a3be7eda97e06de7323f070e5c06069f129efc8871f3eb72a5c6533ce84
MD5 hash:
a02d7da6146c35a941b6142e813d3615
SHA1 hash:
f97a68b643002e16c96fdd9873697ee61a1438ed
Link:
https://www.unpac.me/results/d46a1992-8380-4b84-9e7b-50c8b79b2964/
SH256 hash:
cefe87a0de015dc44dc1086458460be07edba8d9f7211c4bed8a11809d520a72
MD5 hash:
0403b7f4765e08a2f74690caf1a82990
SHA1 hash:
b0e9f69b8c337b605edecdcc3345c6f0045ee04e
Link:
https://www.unpac.me/results/d46a1992-8380-4b84-9e7b-50c8b79b2964/
SH256 hash:
34522ce646c52c59a01d9403ea5459a8f5189d103d37ffbd02fc516e67e5e555
MD5 hash:
4392a850e700fd05212fa73c49982343
SHA1 hash:
a7ab2d2d2c7c0b3f27bdf9b91eeda94155f1c8cc
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d46a1992-8380-4b84-9e7b-50c8b79b2964/
Parent samples :
1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32
805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591
d8eca36ecff579ceffbd778ab8c8949a94d4967e1c0965988b2a68671f1915ef
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

87daa17922cdd22c2b22e8f4c2aaf6ff

Formbook

Executable exe 1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32

(this sample)

  
Dropped by
MD5 87daa17922cdd22c2b22e8f4c2aaf6ff
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68903/

Comments