MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
SHA3-384 hash: 1610ede1bcfc83f8a1520d4adb8d365819e88c0a77e3bb254b9d7cdcc4a647722087fbadf97234621e2225dd6cb43ba5
SHA1 hash: 0123853e7960cdae4f3ad95945b4ec86adbb93c6
MD5 hash: 025544a9014cf1667e8a1d4ff68da253
humanhash: zulu-burger-carpet-double
File name:PT300975-inv.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:559'616 bytes
First seen:2020-11-26 06:40:33 UTC
Last seen:2020-11-26 08:42:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:3cMR5P4uE1KMtqm/0XWJYoukAlD0o2c3zZOaoRzkZRjdnLor7/7Sr9sTFaOxSxyy:3n5PqttqmMGJYvlxzgaoG3dnG7SeG2+
Threatray 3'048 similar samples on MalwareBazaar
TLSH F0C46B1777864A98C460F1B702F9EED2737AF9C73651871E220AD6649A832CB3F0D749
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: ton
Sending IP: 103.225.25.4
From: Jennifer <sales3@aalights.com>
Reply-To: sales3@aalightts.com
Subject: FW: All Outstanding Cleared
Attachment: PT300975-inv.xls.z (contains "PT300975-inv.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/547850
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323028 Sample: PT300975-inv.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 31 g.msn.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 45 4 other signatures 2->45 11 PT300975-inv.exe 1 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\PT300975-inv.exe.log, ASCII 11->29 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->55 15 mscorsvw.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 2 other signatures 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.asacal.com 156.241.53.196, 49755, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 www.solidconstruct.site 198.54.117.244, 49750, 80 NAMECHEAP-NETUS United States 18->35 37 3 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469/
Threat name:
ByteCode-MSIL.Spyware.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 06:41:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbml7s4trcyfaso7ivcz5zql7fv6bmgxli56gthtyahvp3e7iruq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e63da56ac2a690976edd3e5b6224486f805c88f17d954bb462eed825c3c2fc4
Formbook
1953a98a6aa1400610bfcfb7cf84cd7bc5309865d9d6a40030f95662782d916e
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
4368bd3df923b59ec3239a36cfd6cbd4c8aa568ebfaec16433e0a464d368f362
Formbook
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
Formbook
61e2669d1d6be1a20f73da4171233966f8903fa41113364c66d747c8d1e7a39a
Formbook
aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0
Formbook
ad644da69f848609475d2a3d773eadf646d4c1e1cb20e4b87422d224e2ccbe32
Formbook
b35bd4c70b7e7b6ef3a3a0b1196720b542e78137476b52380b352af1633432b2
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 3'038 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201126-xfscpr8hq2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://www.registeredagentfirm.com/jqc/
Unpacked files
SH256 hash:
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
MD5 hash:
025544a9014cf1667e8a1d4ff68da253
SHA1 hash:
0123853e7960cdae4f3ad95945b4ec86adbb93c6
Link:
https://www.unpac.me/results/0275b9f3-2f27-4111-8b90-bbe4f84d955e/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/0275b9f3-2f27-4111-8b90-bbe4f84d955e/
SH256 hash:
46d3802acb6c708fcba3fa7b0432b362a06220c078e4a16c89b248022d753e72
MD5 hash:
2706c4174f7f3794cf3428823e8e452b
SHA1 hash:
9f135a396459c2ef6b501fd6a0ad66d683da7e24
Link:
https://www.unpac.me/results/0275b9f3-2f27-4111-8b90-bbe4f84d955e/
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/0275b9f3-2f27-4111-8b90-bbe4f84d955e/
SH256 hash:
d8dad4f2876c2fbf8cc4e826910b4cf5975bad5c053aa0c5746eb692c4765737
MD5 hash:
b8342f3982ebd8a24144daa6b5e0df8a
SHA1 hash:
d284aabefad8efe52cabcbb475d14e184c49c15b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0275b9f3-2f27-4111-8b90-bbe4f84d955e/
Parent samples :
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558
d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672
d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

z 0543e932e240ef324e36619739038d15cd3c3a31df9b3ca3222f5120cafe40bd

Formbook

Executable exe 2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469

(this sample)

  
Dropped by
MD5 f75b3a05ea74e22b560604be700318a8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0543e932e240ef324e36619739038d15cd3c3a31df9b3ca3222f5120cafe40bd
Cape
Cape
https://www.capesandbox.com/analysis/105592/

Comments