MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
SHA3-384 hash: c2a9feaad44f1d37a169e4cc45ac94a04bdd48c3be8d50945ec363713e7f2e6c6fcda437910cd7dd49b699d9c54cb058
SHA1 hash: e85c960cbea86b04c64e8fce28276f8ba1bac10a
MD5 hash: 550ed38f4abd2bad59a990a0e216cced
humanhash: helium-seventeen-thirteen-cold
File name:requestr list on confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:950'272 bytes
First seen:2020-10-06 06:03:16 UTC
Last seen:2020-10-06 07:22:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:i3+/dSOoCDOB2REImkjP7e7QpTSV6JbJ/WUNAhQb9o7vjp:7JoWOQRym74Vgldumbk
Threatray 2'305 similar samples on MalwareBazaar
TLSH FB15C01596880267F132D078A226D4786BB1DD865A04D2D52EE6DCFFFECFE98F4D0248
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail8.classsnk.com
Sending IP: 128.199.3.178
From: Thomas Enrique <Thomasnrique@mail.com>
Reply-To: Thomasnrique@mail.com
Subject: RE: Requirements
Attachment: requestr list on confirmation.zip (contains "requestr list on confirmation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68432/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482351
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293611 Sample: requestr list on confirmation.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 45 www.ajbmxb4jc1.club 2->45 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 11 other signatures 2->59 8 requestr list on confirmation.exe 1 7 2->8         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\KdQldBP.exe, PE32 8->37 dropped 39 C:\Users\user\...\KdQldBP.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpA2A7.tmp, XML 8->41 dropped 43 C:\...\requestr list on confirmation.exe.log, ASCII 8->43 dropped 63 Disables Windows Defender (via service or powershell) 8->63 65 Injects a PE file into a foreign processes 8->65 12 requestr list on confirmation.exe 8->12         started        15 powershell.exe 24 8->15         started        17 powershell.exe 23 8->17         started        19 14 other processes 8->19 signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 12->67 69 Maps a DLL or memory area into another process 12->69 71 Queues an APC in another process (thread injection) 12->71 21 explorer.exe 12->21 injected 25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 19->33         started        35 10 other processes 19->35 process9 dnsIp10 47 balancer.wixdns.net 35.242.251.130, 49747, 80 GOOGLEUS United States 21->47 49 www.boscoandthebees.com 21->49 51 www28.wixdns.net 21->51 61 System process connects to network (likely due to code injection or exploit) 21->61 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 01:56:28 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exnhi5fzup2e2hgt2n4l37pib7bpnclkhazb4hlefu64zvhvuaia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9
Formbook
209a9092f39d420c7a9a9af3c8bae1183639ceb8089b5f07eca30db7b66f9fc6
Formbook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
33500d82b580ebcc34521dd70217ba0cf976d4708f6d9d413388aae64317b43d
Formbook
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
Formbook
3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150
Formbook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
Formbook
6612e640d15ed26414fc5c288b9bb7050db90517febb11d4b5145fb8d84441b9
Formbook
7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7
Formbook
cedead5dd0528f69da0617580afc0bcb6dd52eb05ad35dc2f24ec45179851e62
Formbook
+ 2'295 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook evasion persistence
Link:
https://tria.ge/reports/201006-gazwqg88yx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Windows security modification
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Adds policy Run key to start application
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Modifies Windows Defender Real-time Protection settings
Malware Config
C2 Extraction:
http://www.mscast03.info/cx0/
Unpacked files
SH256 hash:
25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
MD5 hash:
550ed38f4abd2bad59a990a0e216cced
SHA1 hash:
e85c960cbea86b04c64e8fce28276f8ba1bac10a
Link:
https://www.unpac.me/results/b7ca7e73-6b4a-4a16-a3ca-405b4dcb80f7/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/b7ca7e73-6b4a-4a16-a3ca-405b4dcb80f7/
SH256 hash:
5167473ad9797e0cda69a02f167e3e6bee187de333bd36678b580a548eebbfa2
MD5 hash:
5f22b18b6333173509718fad85b327fe
SHA1 hash:
82a1fa987251905a7c6d4b9e4f5b0d235446fb34
Link:
https://www.unpac.me/results/b7ca7e73-6b4a-4a16-a3ca-405b4dcb80f7/
SH256 hash:
4b34417ee6971a50bc66b8351feba55eae33fd5cb8ef08a11652527ed1dca00b
MD5 hash:
015c00dbb8159c56f521f74f40280b33
SHA1 hash:
a827eed30ca6462303627c5aa63f8155d35b6bc8
Link:
https://www.unpac.me/results/b7ca7e73-6b4a-4a16-a3ca-405b4dcb80f7/
SH256 hash:
5b3187cab1bcfdc847b20d3d07c93da63725524dca746e9360bbfa6cf74170ba
MD5 hash:
06e0a11653b9c898b692417b69e0bd9c
SHA1 hash:
9c797257b1b38e71d0a13467c1647754bb70dcc7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b7ca7e73-6b4a-4a16-a3ca-405b4dcb80f7/
Parent samples :
391f96154aa7c7d4f4616e3746a3a533652f64419f711c8510c99e01ffa78c61
0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9
25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Starter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 56b109510af7033d4e4570add15746f418ffaa626d0a9964a7343503ed9a2803

Formbook

Executable exe 25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010

(this sample)

  
Dropped by
MD5 986effa99b92e61de64796aed3053d5b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 56b109510af7033d4e4570add15746f418ffaa626d0a9964a7343503ed9a2803
Cape
Cape
https://www.capesandbox.com/analysis/68432/

Comments