MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd
SHA3-384 hash: 1b778ceb4735baca1b2655c7c4c3b6648d1a1b5b3e0cb41f0116cb94b5a5e028975772ee4dd27b1f0ae1da8911a3ec8d
SHA1 hash: 79431fa5e8f27fc459f457aae6c734fda0ea020d
MD5 hash: ba758c575363cec890e283c5301e09e7
humanhash: coffee-hotel-football-butter
File name:MT103-10122020.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:779'264 bytes
First seen:2020-10-12 05:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 010f3e42f15e9eb57a4a9a1dad838a51 (10 x Loki, 8 x AgentTesla, 3 x MassLogger)
ssdeep 12288:CAindXhz+XwfE0CQPW7q0dzQNqJHRrUtqwGKbdtFZ/kBtPr:xi16wf9aNzQ4lFUtqHwtFuBt
Threatray 2'391 similar samples on MalwareBazaar
TLSH DAF4C0A2E2E07473C1273A3C9CDB575C982EBD503D286946ABF52C4F5F3D681742A293
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: lin128.loading.es
Sending IP: 91.146.100.128
From: payment.advice@hsbc.com.hk <admin@aragaza.com>
Subject: PAYMENT ADVICE.
Attachment: MT103-10122020.7z (contains "MT103-10122020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69900/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487909
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296398 Sample: MT103-10122020.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 5 other signatures 2->58 10 MT103-10122020.exe 2->10         started        process3 signatures4 68 Detected unpacking (changes PE section rights) 10->68 70 Writes to foreign memory regions 10->70 72 Allocates memory in foreign processes 10->72 74 4 other signatures 10->74 13 MT103-10122020.exe 10->13         started        16 notepad.exe 1 10->16         started        18 notepad.exe 10->18 injected process5 signatures6 82 Modifies the context of a thread in another process (thread injection) 13->82 84 Maps a DLL or memory area into another process 13->84 86 Sample uses process hollowing technique 13->86 20 explorer.exe 13->20 injected 88 Drops VBS files to the startup folder 16->88 90 Delayed program exit found 16->90 process7 dnsIp8 46 crystalmagicgadgets.site 34.102.136.180, 49736, 80 GOOGLEUS United States 20->46 48 www.circlelinebus.com 47.90.80.180, 49737, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->48 50 2 other IPs or domains 20->50 66 System process connects to network (likely due to code injection or exploit) 20->66 24 wscript.exe 1 20->24         started        26 cmmon32.exe 20->26         started        29 cmmon32.exe 20->29         started        signatures9 process10 signatures11 31 MT103-10122020.exe 24->31         started        76 Modifies the context of a thread in another process (thread injection) 26->76 78 Maps a DLL or memory area into another process 26->78 80 Tries to detect virtualization through RDTSC time measurements 26->80 34 cmd.exe 1 26->34         started        process12 signatures13 92 Writes to foreign memory regions 31->92 94 Allocates memory in foreign processes 31->94 96 Maps a DLL or memory area into another process 31->96 36 MT103-10122020.exe 31->36         started        39 notepad.exe 1 31->39         started        42 conhost.exe 34->42         started        process14 file15 60 Modifies the context of a thread in another process (thread injection) 36->60 62 Maps a DLL or memory area into another process 36->62 64 Sample uses process hollowing technique 36->64 44 C:\Users\user\AppData\Roaming\...\itselff.vbs, ASCII 39->44 dropped signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd/
Threat name:
Win32.Trojan.LokibotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 01:05:15 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnbetmfvsc2bm33cutu77467ztcni3gksfz5trtjgeltr7my2loq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
5c0c2689256894521ac0012bc464ad7e0d93c25c60b9df3dfe26b35d85d1713a
Formbook
63d643f5f17f5e621ef22e4c05a5d92c519376d0043c0958284d34ae206c0161
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
89bf15eae14f60d6acc308cead31f09459947626b9839bbbddbf76f00821fe3b
Formbook
a998850fc7940055baac6f61dde2d0e29836c9386ac87555549eeaa1a9998401
Formbook
b19d067a87767c377a60981192e5edb9256ce11f7d663cdcae2af3d8d0c0c382
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
d7d1d6057e7e731b75e1ba9579ccfe717334cc7b4f59324af1a0aa179db22e68
Formbook
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
Formbook
+ 2'381 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-z6zrd7eczx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Drops startup file
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bestcostaricacars.com/bti/
Unpacked files
SH256 hash:
1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd
MD5 hash:
ba758c575363cec890e283c5301e09e7
SHA1 hash:
79431fa5e8f27fc459f457aae6c734fda0ea020d
Link:
https://www.unpac.me/results/e2e98db6-dd7c-49e8-90f4-3a611607ff54/
SH256 hash:
19796b41857a837cce9961e6d33c436d2e099f7a5410784bfff4dae986d4eb56
MD5 hash:
e6f48f2e5c2cf67cce3c9861823b44f1
SHA1 hash:
d1f66c944510938d7a7fcb62b845b4d61d03c18f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e2e98db6-dd7c-49e8-90f4-3a611607ff54/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip b66c0e429e86b2f3f0071fa09ffd41a2be9694345dc83bdc843ff89fe57672e3

Formbook

Executable exe 1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd

(this sample)

  
Dropped by
MD5 50cb15003268988541296f747fe6b059
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69900/
  
Dropped by
SHA256 b66c0e429e86b2f3f0071fa09ffd41a2be9694345dc83bdc843ff89fe57672e3

Comments