MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f
SHA3-384 hash: 89dbfc5a6ba003e7b6462151eca439b005cbd3766e62c481f8e2595cfe53a3ba5f94e5e6b314c1a886de933d8ae5343c
SHA1 hash: 126186598f7f29e5920a567ed7949fc809895c5a
MD5 hash: dc836048a380521996a009129d1a8926
humanhash: papa-wolfram-comet-five
File name:Agolives.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:883'712 bytes
First seen:2020-10-26 14:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:AmFwKsZxpT5yr7YGmJO8i1JctEk3NhlEM:ejHGBfcJ3NhlEM
Threatray 2'762 similar samples on MalwareBazaar
TLSH 1515AE463950C542F365623BC59AC2588BF0AF105997D322F8FF329B1E73B6AF8019E5
Reporter abuse_ch
Tags:ESP exe FormBook geo Hostwinds


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: client-108-174-203-66.hostwindsdns.com
Sending IP: 108.174.203.66
From: eduardo camacho <info@agolives.com>
Reply-To: engineering@engineer.com
Subject: Agolives / Solicitud de presupuesto
Attachment: Agolives.zip (contains "Agolives.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79232/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512080
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305240 Sample: Agolives.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 6 other signatures 2->41 10 Agolives.exe 4 2->10         started        process3 signatures4 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 Injects a PE file into a foreign processes 10->51 13 Agolives.exe 10->13         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 16 explorer.exe 13->16 injected process7 dnsIp8 27 seniorngr.com 198.54.115.31, 49732, 80 NAMECHEAP-NETUS United States 16->27 29 korsovet.com 34.102.136.180, 49740, 80 GOOGLEUS United States 16->29 31 5 other IPs or domains 16->31 33 System process connects to network (likely due to code injection or exploit) 16->33 20 wscript.exe 16->20         started        signatures9 process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 08:16:27 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5d6hwibtalr6efls46tfygl6h3hsfeigli5cctozgndicykgb7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0492389f51ea478d6b922d2e41b7f8bf54c7231ed062bae93b8ede289926db7f
Formbook
2bafe7b4f77916d7ca905d9d46453d27e090b85ba065f4892a886abdc8e51863
Formbook
60831f31acc48a952e24869954c79277d27eeddb14c10d76d0a3b6e61a8e343d
Formbook
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
Formbook
97699d9ff91d55ce4a2088d750783a4838a34e99399b3a4501b35c46d8797f08
Formbook
ab2d651176cc27c6b41e7d6bdb060c328d66e68c4fb8df1b2c0a217187b2c15d
Formbook
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
Formbook
e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34
Formbook
+ 2'752 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201026-9ersp6marn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.goldenlinkpowerdeals.com/esp5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip ab12101dc8596903186c9246dd2ed6306ee61c611a51b20ae7aa673e7824af5b

Formbook

Executable exe 4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f

(this sample)

  
Dropped by
MD5 40ae5dc390d7640f1f9ab44422411ab4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ab12101dc8596903186c9246dd2ed6306ee61c611a51b20ae7aa673e7824af5b
Cape
Cape
https://www.capesandbox.com/analysis/79232/

Comments