MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
SHA3-384 hash: 8b62c10b8295b71d37208e05dd103ff68a74b5a7deb0375860e6530bbf5060e0b1c7834d0d6e581fe8602404b1c70755
SHA1 hash: ef4c720fad334058a87eb453dc89e3db2d63c530
MD5 hash: c6418cfef98a2ba2eec3f998e35faf7d
humanhash: wolfram-cat-oscar-monkey
File name:H4A2-423-EM152-010.TIF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:547'840 bytes
First seen:2020-11-07 10:06:11 UTC
Last seen:2020-11-13 15:52:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vJJ1pJXniuDLqp97Yn8HlOjwcSTJnUMiJPgC0zG6tBwV2i:vJJ1pZiuDLqps8FywvuHJPgZzTtBJi
Threatray 2'879 similar samples on MalwareBazaar
TLSH C9C4F1780BDC8D89D63E6374D520111483B0F4037A13EF1EE9ADA47C2DA77C2DAE6666
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail-smail-vm50.hanmail.net
Sending IP: 203.133.180.238
From: 권성록 <dy5648@daum.net>
Subject: 견적문의 드립니다.(권성록 입니다.)
Attachment: H4A2-423-EM152-010.TIF_xls.ace (contains "H4A2-423-EM152-010.TIF.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.29472.20675.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523732
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310961 Sample: H4A2-423-EM152-010.TIF.exe Startdate: 07/11/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AntiVM_3 2->40 42 4 other signatures 2->42 10 H4A2-423-EM152-010.TIF.exe 3 2->10         started        process3 file4 28 C:\Users\...\H4A2-423-EM152-010.TIF.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 H4A2-423-EM152-010.TIF.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.smobz.com 91.195.240.13, 49773, 80 SEDO-ASDE Germany 17->30 32 www.seekinward.com 66.96.162.146, 49776, 80 BIZLAND-SDUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 help.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 03:32:52 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idrqf7f4lexg7bc56ottd4zajqycn26jfhjjb53uo6cxutomwvmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
Formbook
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
Formbook
37be898f8c2b0f9dfc4663070ae1ac1fd0f4edc08760d5c40fb18c7353f7f476
Formbook
5c1d2289de5b338620bb43ede89d6d7afcf86cc4d2b20db3a3f20e5579e925fe
Formbook
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
Formbook
87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e
Formbook
b3420cc90cce972045db0377a5c383ce049652650946b0c84f27280a7dbd1e38
Formbook
bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449
Formbook
d11ae1d5e09d63aa386479af620faf3b9053d12e6d3a8a1353aba274fef2153e
Formbook
e38e6ac839b8009c1c6d467ed4206f912c39a15af7a1fa7ba4a2a854e441fe50
Formbook
+ 2'869 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201107-fk6a9vnfca/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.accionfotos.com/ukj/
Unpacked files
SH256 hash:
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
MD5 hash:
c6418cfef98a2ba2eec3f998e35faf7d
SHA1 hash:
ef4c720fad334058a87eb453dc89e3db2d63c530
Link:
https://www.unpac.me/results/93d91be6-bb12-47d8-9a6f-87a5a79e6ffc/
SH256 hash:
f05164c6a8daffb3b61aa72d24738d2b8b2f39af13cd7c4a5fbd9f96bf6bbfcd
MD5 hash:
6c55ed392314cf83893db343bbf7614c
SHA1 hash:
8ce2ab2ac2fb0287d1210d8a15418eb4e7a5477a
Link:
https://www.unpac.me/results/93d91be6-bb12-47d8-9a6f-87a5a79e6ffc/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/93d91be6-bb12-47d8-9a6f-87a5a79e6ffc/
SH256 hash:
9322fa5d0e259ff6a02fd666319d4e734e30b7066f0494a8390f54b2acf2cdd6
MD5 hash:
1e1608d4e7e9aefa3631fdf48b0be10e
SHA1 hash:
ffc6cc6953d8a2d6e1184f6490292a201c2bb254
Link:
https://www.unpac.me/results/93d91be6-bb12-47d8-9a6f-87a5a79e6ffc/
SH256 hash:
4164f6659ed07c2da64b9c7e619cca31a0342267ad6427a131972809117169da
MD5 hash:
c5c92a39f5f3df155cc00d352750979a
SHA1 hash:
4768e47cb129c16c1f90293778d7efc4afc50c84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/93d91be6-bb12-47d8-9a6f-87a5a79e6ffc/
Parent samples :
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT32_KerrDown
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

ace 1626cec50a32f38f60295b8455ceb3ac7ff0dcac5bda6593e9685039ac54fbfc

Formbook

Executable exe 40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559

(this sample)

  
Dropped by
MD5 8b4d10da155a97ed0f529846e48160d7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1626cec50a32f38f60295b8455ceb3ac7ff0dcac5bda6593e9685039ac54fbfc

Comments