MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656
SHA3-384 hash: cb12f27f099c1d640c60dfe11d9acfb4756add59f49d5e5d053e8246fb5377da1f51c6a6886ade07b364d7349ae4a28c
SHA1 hash: d2e3539033e217faa8fa123d2f444eb47ce9c476
MD5 hash: 451347fc2142b7f84e5cf3e2bca618d8
humanhash: johnny-hydrogen-texas-dakota
File name:IMAGE-04082020.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:435'200 bytes
First seen:2020-08-04 13:36:37 UTC
Last seen:2020-08-04 15:22:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:RR29grlqTGODDOuq7I1cXfh1aHYYZzwBUn9CwCJz5i2EEoVhv+s:RtEDOa1cXf3aHvZ0BUn3CJz5i+oVhvR
Threatray 5'195 similar samples on MalwareBazaar
TLSH D5942A283A17CE72FDEE0B7D80CB0D144FA71A05516DF64F14AD11D2B8ABB854926F8B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: www210b.sakura.ne.jp
Sending IP: 219.94.155.70
From: Anthony <anthony@unitedllc.com>
Subject: RE: Tucker lane
Attachment: IMAGE-04082020.IMG (contains "IMAGE-04082020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38741/
Detection(s):
SecuriteInfo.com.generic.ml.30491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/409520
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257041 Sample: IMAGE-04082020.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 34 www.revere.world 2->34 36 www.mage-cart.info 2->36 38 ext-sq.squarespace.com 2->38 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected FormBook 2->58 60 .NET source code contains method to dynamically call methods (often used by packers) 2->60 62 3 other signatures 2->62 11 IMAGE-04082020.exe 15 3 2->11         started        signatures3 process4 dnsIp5 46 satocchi.org 160.16.143.29, 49740, 80 SAKURA-BSAKURAInternetIncJP Japan 11->46 32 C:\Users\user\...\IMAGE-04082020.exe.log, ASCII 11->32 dropped 74 Tries to detect virtualization through RDTSC time measurements 11->74 16 IMAGE-04082020.exe 11->16         started        19 IMAGE-04082020.exe 11->19         started        file6 signatures7 process8 signatures9 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Maps a DLL or memory area into another process 16->50 52 Sample uses process hollowing technique 16->52 54 Queues an APC in another process (thread injection) 16->54 21 explorer.exe 16->21 injected process10 dnsIp11 40 www.ym68888.com 21->40 42 www.ppl-ubdate-info.com 21->42 44 2 other IPs or domains 21->44 64 System process connects to network (likely due to code injection or exploit) 21->64 25 msdt.exe 1 21->25         started        signatures12 process13 signatures14 66 Tries to steal Mail credentials (via file access) 25->66 68 Modifies the context of a thread in another process (thread injection) 25->68 70 Maps a DLL or memory area into another process 25->70 72 Tries to detect virtualization through RDTSC time measurements 25->72 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 13:38:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d45hr6rwxqdudi4oqltt5ifcctxya3ans2ghbom2u4ohhbsl4zla._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
Formbook
1b114b7614a73e7b1b75355a4904a7314a91c39ec385a246a67624dfc11b7b8e
Formbook
353bbb86f2947091a4cd8c6e556570654b68b344cd73a3f22409c4b60106ab9c
Formbook
4077e5eeadfc447b88c36f638c37adc77ee35766a737e4a7aca64e61f2ef3d1a
Formbook
4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59
Formbook
5422893799866f5a8f2137ae3261caf86479e948715935a096800888f1a5ae88
Formbook
6f0a196952625afc497fc03a952fc59f1dbef32d4ea5248c92f1dc5705da2d63
Formbook
6f196fa55e6b02ee407f238eba897e8ae1a213a45603c526141a0c66f26e8c51
Formbook
b32579e01c28fc0a157f14ce8c679d02fcd1f5c03f8eef56ba6a77a627786d84
Formbook
c12ceb5bc795285eff54b3ef08c9208c67148b5c446e21084677c25bf8c56112
Formbook
+ 5'185 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200804-3bncxbvjdn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img cc09ce738c58e335e037c8ab5ddb856603481dfb798ccf1853a5d4da26227eb1

Formbook

Executable exe 1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656

(this sample)

  
Dropped by
MD5 1705bdfe97fd65237ae7d11d4f31cdd0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38741/
  
Dropped by
SHA256 cc09ce738c58e335e037c8ab5ddb856603481dfb798ccf1853a5d4da26227eb1

Comments