MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1
SHA3-384 hash: c85125879d776063ef87de99a9815219d9ff2f0af9585d3aa6fadc9623946f5caa14a04c77b2b5962978771858fa2863
SHA1 hash: 19c395b59fb71f0724461e8eee24d29419504b1a
MD5 hash: 6bde8952b067065e91dc1bd6b61a886e
humanhash: three-may-hawaii-island
File name:FC 21565 Project Specification_PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'513'472 bytes
First seen:2020-11-07 10:19:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:Iu6Jx3O0c+JY5UZ+XC0kGso/Wa7C2cYo3wdnJkfLquM1r4mCpvIHgowWY:iI0c++OCvkGsUWa72mkDMOZvQY
Threatray 3'754 similar samples on MalwareBazaar
TLSH 9865D02273DEC360CB669173BF69B7016EBB7C210630B95B2F980D7DA960172162D763
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.leainterhotel.com
Sending IP: 185.200.242.182
From: Yasir Khan <info@europe.pall.com>
Reply-To: quotation@europe.pall.com
Subject: FC-21565 - SEPCO / ARAMCO & ENI MGS-I / BGCS 3 & 5 - RFQ PROJECT (OPEN QUOTE) // Quote # 2140-PSI-NOV-Rev 0 -2020
Attachment: FC 21565 Project Specification_PDF.7z (contains "FC 21565 Project Specification_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-87.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader16.22980.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523772
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-01-08 21:10:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fkdblmfer4ap3uqwll3xt7w7wznplcn2twtz6yshvzpkkfpilhiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
26cb425375a7613736c367866d0b79b8b7d8845437ec88e87bc83146445f892e
Formbook
39084137359a20b1df1063f78af9d673aefb3aaedab4d070be247c9eb5ca9e71
Formbook
40ac8e128b78d30d49accda865a6ca90a23cf7b7e5f31042c7df55a9fe1b5af4
Formbook
68f2a110051b7b0567023993940a355ffa07dfb1c5810ce8648e042f69ca3816
Formbook
a21bb22d76ef8b9d5f73709b706b9a8e1c359a523bebd813e6c50259b4dc61ce
Formbook
b29a1b48648aacf2fe60861692bd0991cf226956ea986b687972667496e1d7d7
Formbook
b3d36e86a478b5223968e34ca51bff54002eb9b1a01ef26d8b657d49dd4dd831
Formbook
d6031bb15fd16cac9b514985035e18f08f0beaaa0542a66274467cb66e76a8fd
Formbook
e2d6b8bc603260f1a7564a044523d230c31c8d873deabb579cae90b88f1b92b9
Formbook
e8ed39c9f50127f70493dedaadbd4e786c31ca7cb61f86bfc74a0d85b6a55101
Formbook
+ 3'744 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201107-7wvsvxfmhx/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mizorl.com/ww/
Unpacked files
SH256 hash:
2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1
MD5 hash:
6bde8952b067065e91dc1bd6b61a886e
SHA1 hash:
19c395b59fb71f0724461e8eee24d29419504b1a
Link:
https://www.unpac.me/results/38f80a63-5683-447c-b168-cc554de5f673/
SH256 hash:
363157b0dcbb90fa0bff430e730ad816c846e37ea5f81627f34ac8edb6aa92b5
MD5 hash:
0745139fef25e3e3e78260f1787a3de5
SHA1 hash:
028a23dce46effefc73245759a25f529478bbc9f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/38f80a63-5683-447c-b168-cc554de5f673/
Parent samples :
2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1
4ca5615303fbf757380be438a8742de1ffeeecd253d57203eeffc420a8129ed0
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 9331a38f43ec6aaab6befc765608cccdacce805fe0ac8439bc880211caf868e2

Formbook

Executable exe 2a8615b0a48f00fdd2165af779fedfb65af589ba9da79f6247ae5ea515e859d1

(this sample)

  
Dropped by
MD5 3d879819c7c76cea16e69ae2bb0376bd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9331a38f43ec6aaab6befc765608cccdacce805fe0ac8439bc880211caf868e2

Comments