MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6
SHA3-384 hash: 5a015203d05efeb97a3d8952ea8fc0d0503247703713cb2716104925ab1bd3b95f8f1c3715431596934d7980a6af5eba
SHA1 hash: 8f0c993b0811b5104d997073e4a5b5f60e6bcfee
MD5 hash: 4485dabf21caf6a0a865814f9cfc8b5d
humanhash: missouri-mobile-red-mexico
File name:AWB#788898766.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:443'392 bytes
First seen:2020-08-31 10:48:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:/TdsFk8HGudCSSmyKDpMQpeAhVTxWjuexUDiDC60hp7o6T+oNZqF4:LdsFJGuMKDpMQMjuex
Threatray 2'244 similar samples on MalwareBazaar
TLSH 7C94121119ACCF77CAF60BF5490C3E6CC3B095EB586CCBD90CA5B2A356A63D58B17902
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: pronance.in
Sending IP: 37.48.85.224
From: DHL SERVICEi <ibrboiler@pronance.in>
Subject: AWB#5563164600
Attachment: AWB788898766.pdf.rar (contains "AWB#788898766.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53414/
Detection(s):
SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455272
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280012 Sample: AWB#788898766.pdf.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 10 AWB#788898766.pdf.exe 1 2->10         started        process3 file4 31 C:\Users\user\...\AWB#788898766.pdf.exe.log, ASCII 10->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 10->59 14 AWB#788898766.pdf.exe 10->14         started        17 AWB#788898766.pdf.exe 10->17         started        signatures5 process6 signatures7 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 19 explorer.exe 1 14->19 injected process8 dnsIp9 33 www.carolmillercongress.com 154.205.27.166, 49747, 49748, 80 XHOSTSERVERUS Seychelles 19->33 35 www.mg-new2.info 63.250.45.175, 80 NAMECHEAP-NETUS United States 19->35 37 7 other IPs or domains 19->37 49 System process connects to network (likely due to code injection or exploit) 19->49 23 cmd.exe 1 12 19->23         started        signatures10 process11 dnsIp12 39 www.mg-new2.info 23->39 51 Tries to steal Mail credentials (via file access) 23->51 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 55 Modifies the context of a thread in another process (thread injection) 23->55 57 2 other signatures 23->57 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 04:56:17 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hv3gjxhlzn6sbms2ncikm2l2fiuteopkcpyanflsfuo44ar4rs3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07d25d248e939d11d9b876a411858dc7b6c3e110e8ab0d9a0095792c3a8b2058
Formbook
0e1253abec933b14f592f8ab6fcfaeba8fb3b9d24f9ef2a7021345d2fc738b3f
Formbook
353bbb86f2947091a4cd8c6e556570654b68b344cd73a3f22409c4b60106ab9c
Formbook
4e343d50670d902ec99b2a4079f088249c3b6101d9754f763a77566af82e6f59
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
b2d8df96514495cb6b3fe66a6d61e70b8b6e92426910db93f7ae521be4fd2762
Formbook
b32579e01c28fc0a157f14ce8c679d02fcd1f5c03f8eef56ba6a77a627786d84
Formbook
c940837494435b53d54b6b4349031a14bf5db905a22b7601e34deb851b109715
Formbook
d9ba192982200a73ca54ce3c9f10c43a185e0d99864eee685bc7ba70c311110a
Formbook
e86665f5f4cb843757815bce9f8311678c1bc32cdc6537ccc3aedc4502dca4a8
Formbook
+ 2'234 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200831-6wp4hv96je/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mg-new2.info/etb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar edbf1a3a4bf12dcd40d3c90ab714f0a1374b58370eb37cd85b6c654c336afad8

Formbook

Executable exe 3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6

(this sample)

  
Dropped by
MD5 d08ecf76f8cbf6a875cd5640f307fd3c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53414/
  
Dropped by
SHA256 edbf1a3a4bf12dcd40d3c90ab714f0a1374b58370eb37cd85b6c654c336afad8

Comments