MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784
SHA3-384 hash: 6d0201e755f4b7dbc939f115cd3d859c9181a0bd9570fd4502cfa7d7526695dcfa6a6e6a8d230e4c6871773e35e1c555
SHA1 hash: 85ce452b7f88df32cc199f4d686ed527c190e339
MD5 hash: b3bf6b0f34dc19c7f86ab51e0b882b3b
humanhash: speaker-lactose-gee-timing
File name:TR_008 Purchase Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:784'896 bytes
First seen:2020-10-09 06:10:19 UTC
Last seen:2020-10-09 07:09:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:YqOkbtgxFka6c9ntitV/0NvLF2n33HfBZXfeJj9CFpaSe3iLgu1VUk5u6PEOQWdf:YtxOjc9nItVsVF23LeUp+3ijck5
Threatray 2'381 similar samples on MalwareBazaar
TLSH 02F49DAD725076EFC95BC876CEA82C64EA10747B530BD203A06716AD9D0DA9BCF141F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: host.kroser.com.uy
Sending IP: 162.211.86.3
From: Hangzhou Zhejiang Co., Ltd. <sales@technorexco.com>
Subject: RFQ # Q20182401 // ORDER_N ° 10014 // New_Suppliers_Ord er / [OCT-DEC]
Attachment: TR_008 Purchase Order.iso (contains "TR_008 Purchase Order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69415/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486292
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295595 Sample: TR_008 Purchase Order.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 31 www.dagl.space 2->31 33 dagl.space 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 10 other signatures 2->47 11 TR_008 Purchase Order.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\TR_008 Purchase Order.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 TR_008 Purchase Order.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.waiftx.com 104.18.35.236, 49753, 80 CLOUDFLARENETUS United States 18->35 37 shops.myshopify.com 23.227.38.64, 49756, 80 CLOUDFLARENETUS Canada 18->37 39 2 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 01:39:25 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d26qf5mgruozgihicgvyd44s42zojwgj3l4oju5sktl2ubknw6ca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0444972f4976d21a707c947f936ee857584f0dee44e795c6dc7cb86d9b28eddd
Formbook
0538ad6e3f92ea13a5a3dadb18e807ce26097bbfd2f473e873a514b6dbbe8f5d
Formbook
145880ed94e0db3cab65cb54db4728520f1ac5f95ff2b0dda2650233542dd706
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
Formbook
7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a
Formbook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
Formbook
abdcaa24ca253113905e140a11a445eec5f758bd6403ccf805f87be5c30ea4a3
Formbook
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
Formbook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
Formbook
+ 2'371 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201009-h3twx5aed6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.waiftx.com/tmc8/
Unpacked files
SH256 hash:
1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784
MD5 hash:
b3bf6b0f34dc19c7f86ab51e0b882b3b
SHA1 hash:
85ce452b7f88df32cc199f4d686ed527c190e339
Link:
https://www.unpac.me/results/b9b02623-3a57-42f6-ab31-48ff61d621b4/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/b9b02623-3a57-42f6-ab31-48ff61d621b4/
SH256 hash:
cdd0ccc69a26b0434dab5ef9daf7ef39f3d1624114c9f4c516a23625417389d3
MD5 hash:
5334d85c51f7fffab05d67b26a3f3b92
SHA1 hash:
da15edfd538c4d811437c99adda73f1fad002820
Link:
https://www.unpac.me/results/b9b02623-3a57-42f6-ab31-48ff61d621b4/
SH256 hash:
d675b6cd32c5549826884041cf1a318af9110d0587dd845bb8c952854411670c
MD5 hash:
fcd70d5ed52399df3a1a80417b2155c4
SHA1 hash:
7e44f38c372a00c887d0dbbccfa8c04a733311dd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b9b02623-3a57-42f6-ab31-48ff61d621b4/
Parent samples :
7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a
1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784
c19dda3e71d3e8166c0d106f10eb9fc58036286e50c0cd31dd4efd8a1bc82e7e
6eb2ce986b19563b33a0c241aa33feb4e12ad3427ee3dbfb99f530dba3d8dea7
be68a437bfdced2711715965531cd0951f433f2c689b09bf265fc6e1b9c1c8e8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 55e112824b2b5ab36c8bee4b5653f0a08403e1daf0e32211e5436fd5545a6bda

Formbook

Executable exe 1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784

(this sample)

  
Dropped by
MD5 26042ee1d98ebd0a692b5fd798e800b9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69415/
  
Dropped by
SHA256 55e112824b2b5ab36c8bee4b5653f0a08403e1daf0e32211e5436fd5545a6bda

Comments