MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
SHA3-384 hash: e23b7bf7953c170cb26da6d1f7fbbf4c48a8e34d318f7b24e8431c3ff94e844abd9573ef4931f9cb77af503d1a5fa87e
SHA1 hash: 0a5a29bda14a377670f46bef0b0b19b0932f1725
MD5 hash: c1a4184330883969594d7e630ebb7128
humanhash: bulldog-magazine-gee-virginia
File name:invoice.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:496'640 bytes
First seen:2020-10-20 08:35:28 UTC
Last seen:2020-10-26 06:17:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:V61LQg7LaLVNzI3SMkJx5+eBfajW9A1GKZHNYPzodfvW:V61UEapBIC9JxliGA1GUKzod
Threatray 2'573 similar samples on MalwareBazaar
TLSH 3BB4024011AA6B33E2BE1BF6201C550D83F2544EB7E7EB681EE633E95591F804F68E53
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: iap-india.com
Sending IP: 103.125.191.170
From: karthika.p@iap-india.com
Subject: RE: Export order-Transit permit application
Attachment: invoice.r15 (contains "invoice.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73367/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497333
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300859 Sample: invoice.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected AntiVM_3 2->44 46 7 other signatures 2->46 10 invoice.exe 3 2->10         started        process3 file4 32 C:\Users\user\AppData\...\invoice.exe.log, ASCII 10->32 dropped 56 Writes to foreign memory regions 10->56 58 Allocates memory in foreign processes 10->58 60 Injects a PE file into a foreign processes 10->60 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        19 RegSvcs.exe 10->19         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 21 explorer.exe 14->21 injected 70 Tries to detect virtualization through RDTSC time measurements 17->70 process8 dnsIp9 34 free-virtual-sex18.online 184.168.131.241, 49796, 80 AS-26496-GO-DADDY-COM-LLCUS United States 21->34 36 www.free-virtual-sex18.online 21->36 38 2 other IPs or domains 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 25 cscript.exe 21->25         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 25->50 52 Maps a DLL or memory area into another process 25->52 54 Tries to detect virtualization through RDTSC time measurements 25->54 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1/
Threat name:
ByteCode-MSIL.Trojan.Agentesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 02:22:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fir2vlu66p2i66do3h237du357ivvkwyxzz4fjel6rvocthicgyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
Formbook
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
41e247af1c9e83534cd1a251b618432759435c3f9c9dfd2c8760f712a6ccc5a4
Formbook
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
Formbook
691e25f141a0389dec22a7f9027a57ff7242cd2918f525e3c22e81c863f803c9
Formbook
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
Formbook
eecabbdec29294f055c109660c94db3de0ce9187461ea6f18639cf9c34883e70
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 2'563 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201020-ww4fycc3za/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.richardgraycabinetmaker.com/cmd/
Unpacked files
SH256 hash:
2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
MD5 hash:
c1a4184330883969594d7e630ebb7128
SHA1 hash:
0a5a29bda14a377670f46bef0b0b19b0932f1725
Link:
https://www.unpac.me/results/8b97e0d1-baff-4315-8a71-3752c763d343/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/8b97e0d1-baff-4315-8a71-3752c763d343/
SH256 hash:
0a22884b27f9eeeaef6a579063f8a5197d1382b5e047ace969c7c323a8fe4a53
MD5 hash:
fab1a6691431f899d46376e7fb7ae987
SHA1 hash:
9d765583607de2bef63467a4b18d48b6a3e2cca2
Link:
https://www.unpac.me/results/8b97e0d1-baff-4315-8a71-3752c763d343/
SH256 hash:
eb67b9a1d91528f03444c7e3b97dd396cc54f83b10ce7e118832a352a9ac0daf
MD5 hash:
c4b32d6cb53557c30f7f364d3126b7c6
SHA1 hash:
2f9a87f3d83136986f94e03da74cd01bf20ceb7f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8b97e0d1-baff-4315-8a71-3752c763d343/
Parent samples :
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 67705cae6acdf22d60d4c3d93fac2daef667732a53982bd02fa8cb410df2c718

Formbook

Executable exe 2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1

(this sample)

  
Dropped by
MD5 b013610cb09b8e2cfe02e031b6b82bf2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73367/
  
Dropped by
SHA256 67705cae6acdf22d60d4c3d93fac2daef667732a53982bd02fa8cb410df2c718

Comments