MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20000a9d0078fa18b60d9ad52d36b4f5dfa77d2f74866e8793ee0085ab0c9964. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20000a9d0078fa18b60d9ad52d36b4f5dfa77d2f74866e8793ee0085ab0c9964
SHA3-384 hash: ff0e32bef5f00195bced505316e050a28012e450daf328960b7d3a0a4db00384cc6362dfc9fcd735690ad945529760c4
SHA1 hash: c5b31d3d22f2d5ba063321148b0d8ab40d93bab4
MD5 hash: 7ff57c60b0cf3479a387050c72f4bde9
humanhash: crazy-pennsylvania-delaware-ohio
File name:Profoma_Invoice_SWD173647_3vey_REfR-32JdhY_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:520'192 bytes
First seen:2020-08-11 14:11:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:RsU8pdZhXZb2uUPqxLf1N3jscEzoMzsGhbitqQS/gVs:adJfCqxjEZsM4gvrf
Threatray 6'023 similar samples on MalwareBazaar
TLSH 5AB4E025B6A5CC00C3AA6537CADF8114037EBC4A7573DA1E3B9B336D24217B65B066CE
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: synergynorth.com
Sending IP: 111.90.138.173
From: msmit@synergynorth.com
Subject: RE: 45264-61M00 見積り依頼の件 // Bank Account for Payment //Process Control Standard (45264-61M00 Request for quotation // Bank Account for Payment //Process Control Standard
Attachment: Proforma_Invoice_SWD173647_3vey_REfR-32JdhY.pdf.zip (contains "Profoma_Invoice_SWD173647_3vey_REfR-32JdhY_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43497/
Detection(s):
SecuriteInfo.com.Fareit-FYE7FF57C60B0CF.23231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/419240
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20000a9d0078fa18b60d9ad52d36b4f5dfa77d2f74866e8793ee0085ab0c9964/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 14:13:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eaaavhiapd5brnqntlks2nvu6xp2o7jposdg5b4t5yailkymtfsa._file
Verdict:
malicious
Similar samples:
0e9f18832b1738b5db30853fc3732e4a083722f7d99db5e62c8dc3d42e5cae70
Formbook
19a180b5e3696a27292810125957efca24a09e7743d951e5386bd69daaca8dfe
Formbook
464ffb9a16b269537c0b4475ebe897cc2bb1e0e8d35b0da24aaf21d677a5bf02
Formbook
722521ac19cd30a318eb191975eecadb389fe26c681d76f1c5da92dc8fabac4f
Formbook
b7b3c77cfcc62bd27b6563b6922f6fe74a04cd2bf5e524cec6d583bfc778730b
Formbook
b7b8c2b1de957151098bf5806ac0b4a90eeb9f61dd211176072b3b3ba21c23cc
Formbook
c6f41cff35e8e1e72217e9f5c8d32a6fff30bd878b854acf357f61c02b6f603e
Formbook
daccbb51605d68967e4b1d5ec147fc9a2d8e29d0970cc518e579a83397b1082b
Formbook
f1c317dfe16f1857fe9df96ce966a07d3ca86680c39ae8e892277b78995cceb3
Formbook
f7f3acea6b67e6b5db697777ab0bd656febfe648e4d79519010ba805e329fdc0
Formbook
+ 6'013 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200811-ddfqtrz35x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/f4m/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20000a9d0078fa18b60d9ad52d36b4f5dfa77d2f74866e8793ee0085ab0c9964

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 76f741f34e046d7ee29880a7ed26c404d9a6edf11e9f37ff76afe8be751df3a2

Formbook

Executable exe 20000a9d0078fa18b60d9ad52d36b4f5dfa77d2f74866e8793ee0085ab0c9964

(this sample)

  
Dropped by
MD5 83711630ebe5669774b448661df2af0e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/43497/
  
Dropped by
SHA256 76f741f34e046d7ee29880a7ed26c404d9a6edf11e9f37ff76afe8be751df3a2

Comments