MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
SHA3-384 hash: 619019214da0fe8bf112b7edf3693fc6852f8644d104bc34b2ba66ffa68e833a21162638ce19a9a1b68b52145b25268a
SHA1 hash: 71ca5cb0737c06dff4c792ed121b2da1feba6c09
MD5 hash: 20e9f72628cc134ed89701d9916554a5
humanhash: illinois-black-blue-mango
File name:DOC_2020101209438759553.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:586'240 bytes
First seen:2020-10-12 06:25:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:wPRllJXgh3ihH5dfq0trCo/Z15rmJuDRTXdPYNeiA2n:gllRfH5QACo/Z15dDRjdI5Nn
Threatray 2'407 similar samples on MalwareBazaar
TLSH D9C4023F22480E17C2BD04F94016221613F5D71A6793FBDA7E9150AC47E2B499B6F3AB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.inconcertcc.com
Sending IP: 200.40.135.115
From: Jorge Juscamaita <jjuscamaita@inconcertcc.com>
Subject: AW: 21501120100258 - PURCHASE ORDER FOR INVOICE SUBMISSION
Attachment: DOC_2020101209438759553.PDF.img (contains "DOC_2020101209438759553.PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69974/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488064
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296492 Sample: DOC_2020101209438759553.PDF.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 31 www.weeiter.com 2->31 33 parkingpage.namecheap.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 11 DOC_2020101209438759553.PDF.exe 3 2->11         started        signatures3 process4 file5 29 C:\...\DOC_2020101209438759553.PDF.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 DOC_2020101209438759553.PDF.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 shops.myshopify.com 23.227.38.64, 49744, 80 CLOUDFLARENETUS Canada 18->35 37 www.henielunicorn.com 18->37 39 2 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 03:20:12 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g7whljyju63hgblz636fewz2knuvxxqmus4upircny7mt4dcgcnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
Formbook
07528f3c583c546d2b444b091c3ede380c6427ed0691b95294c7e32dd35560ab
Formbook
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922
Formbook
691e25f141a0389dec22a7f9027a57ff7242cd2918f525e3c22e81c863f803c9
Formbook
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
Formbook
da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
Formbook
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
Formbook
f397c24f2c684fdcd51dc9954c641d013437a78e24a5cf8c8778196a66a60372
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 2'397 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-db9394kfya/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
MD5 hash:
20e9f72628cc134ed89701d9916554a5
SHA1 hash:
71ca5cb0737c06dff4c792ed121b2da1feba6c09
Link:
https://www.unpac.me/results/61382b11-e641-4d73-962b-bd72eb0dd504/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/61382b11-e641-4d73-962b-bd72eb0dd504/
SH256 hash:
f7e02d85b68c5358951966e67f66d8c27a514899a39df0dc2a52b1d5c5d324e6
MD5 hash:
921f63c8fc1b1238534b9d86a59ad59b
SHA1 hash:
afd1f672cad024bdd6adf4f716fe9539332a2902
Link:
https://www.unpac.me/results/61382b11-e641-4d73-962b-bd72eb0dd504/
SH256 hash:
3a9bc6f50d9e97bd69a18d73c912a4f4c38454bcfecf0e3268fb2290d5357522
MD5 hash:
e2e31f8296be25ea4d3e9ce6e517aad8
SHA1 hash:
bb6e99dd47883af6a296f26518af8fe599a590a1
Link:
https://www.unpac.me/results/61382b11-e641-4d73-962b-bd72eb0dd504/
SH256 hash:
2d40ab6f1919b17686260de751b43fc3b24934b26408d267d0e4dd996570fb9e
MD5 hash:
b1b298be02d8a9ac1a3b3008a41f6619
SHA1 hash:
a9bc9b0012dee7c0e0268a6bb8c5bb1fbb9d74ea
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/61382b11-e641-4d73-962b-bd72eb0dd504/
Parent samples :
37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c
bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 7ab02a2c4338131e9d596875a7e2a1c062628858c7be77512f948f9053cf68af

Formbook

Executable exe 37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b

(this sample)

  
Dropped by
MD5 ea76286a223f59137f52f10982ff0553
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69974/
  
Dropped by
SHA256 7ab02a2c4338131e9d596875a7e2a1c062628858c7be77512f948f9053cf68af

Comments