MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
SHA3-384 hash: f4a6b4dcf0ae22a90e99416a9298929c655527c6e7fc4dbff91b33ec2bb96faae756379b1ced3eeccf681a3851412524
SHA1 hash: cb4148ef01a33b611153e2902a00b6ae37323623
MD5 hash: fced333c24d2d16b23ba539367abadc8
humanhash: table-pluto-twelve-river
File name:PAYMENT COPY.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:499'200 bytes
First seen:2020-10-23 08:52:12 UTC
Last seen:2020-10-24 13:31:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Mtqokz3krexzX+sNGSTnLtm4epr/oprHZ4Fhcez5cuqsm:oqoykrfiGSTnItQZ4jevD
Threatray 2'636 similar samples on MalwareBazaar
TLSH 43B4292DF745DF71F42B39704403D0F60011FDD1AE62A29B3BD23FAFA9B16890999A46
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: ibd.net.bd
Sending IP: 37.48.85.241
From: Accounts<faisal@ibd.net.bd>
Reply-To: joame@vivaldi.net
Subject: PAYMENT COPY
Attachment: PAYMENT COPY.rar (contains "PAYMENT COPY.exe")

Intelligence

File Origin
# of uploads :
4
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74981/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.13161.19505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Creating a file
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507931
Signature
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303085 Sample: PAYMENT COPY.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 52 www.alsagranit.info 2->52 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 8 other signatures 2->66 10 PAYMENT COPY.exe 7 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 10->46 dropped 48 C:\Users\user\...\PAYMENT COPY.exe.log, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 10->50 dropped 78 Injects a PE file into a foreign processes 10->78 14 PAYMENT COPY.exe 10->14         started        17 cmd.exe 1 10->17         started        19 cmd.exe 3 10->19         started        22 cmd.exe 1 10->22         started        signatures6 process7 file8 80 Modifies the context of a thread in another process (thread injection) 14->80 82 Maps a DLL or memory area into another process 14->82 84 Sample uses process hollowing technique 14->84 86 Queues an APC in another process (thread injection) 14->86 24 colorcpl.exe 14->24         started        27 explorer.exe 14->27 injected 30 reg.exe 1 1 17->30         started        32 conhost.exe 17->32         started        42 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 19->42 dropped 34 conhost.exe 19->34         started        44 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 22->44 dropped 36 conhost.exe 22->36         started        signatures9 process10 dnsIp11 68 Modifies the context of a thread in another process (thread injection) 24->68 70 Maps a DLL or memory area into another process 24->70 72 Tries to detect virtualization through RDTSC time measurements 24->72 38 cmd.exe 1 24->38         started        54 moneybook4nurses.com 108.167.181.85, 49730, 80 UNIFIEDLAYER-AS-1US United States 27->54 56 nopmirefinance.com 34.102.136.180, 49729, 80 GOOGLEUS United States 27->56 58 3 other IPs or domains 27->58 74 System process connects to network (likely due to code injection or exploit) 27->74 76 Creates an undocumented autostart registry key 30->76 signatures12 process13 process14 40 conhost.exe 38->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 07:03:52 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=knklhizx7yprtw543ghlx2rv4wh5su6inom4wfty3d44qspi2voa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1953a98a6aa1400610bfcfb7cf84cd7bc5309865d9d6a40030f95662782d916e
Formbook
4368bd3df923b59ec3239a36cfd6cbd4c8aa568ebfaec16433e0a464d368f362
Formbook
6d793847fa7272019425c00c17e6f84f719a74a926219a6f6a9c7d96f033fc48
Formbook
7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52
Formbook
aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0
Formbook
b35bd4c70b7e7b6ef3a3a0b1196720b542e78137476b52380b352af1633432b2
Formbook
b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733
Formbook
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
Formbook
f264e8bfb72842255656d3aebf39da5daa78192daf8a87950eee3d9034839b4e
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 2'626 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-hdhcamfkne/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Unpacked files
SH256 hash:
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
MD5 hash:
fced333c24d2d16b23ba539367abadc8
SHA1 hash:
cb4148ef01a33b611153e2902a00b6ae37323623
Link:
https://www.unpac.me/results/302e2826-b54e-4e76-b93e-e5ebd35ff19e/
SH256 hash:
82ed6b10536db1344d0fbef527bc11f3fcc37fb462e3f1e12a9114ded2ca8e28
MD5 hash:
352d0984534e2f12e9e27a0a13dc2f50
SHA1 hash:
d3e81bc9b117588ce1ea10227c93e1034b117975
Link:
https://www.unpac.me/results/302e2826-b54e-4e76-b93e-e5ebd35ff19e/
SH256 hash:
f1c8b375b9aaa998f98124b440f29391d60468ae6bcd9cb08f0f9e9024f21c49
MD5 hash:
37b9a7a1578db2572c36f7907672dee0
SHA1 hash:
7d917c3fc6f689ce438b5bb0772f33fcffd7f1b3
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/302e2826-b54e-4e76-b93e-e5ebd35ff19e/
Parent samples :
5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c
b7d55f5145ac91a9b2e9d1b98f65bf6844248ebd6612be241e2fe5755dcf0733
70581c97768f831cf9a0e6e084f44331ffb3d17ed78136dcd6b42e0490b814bf
29b9120d8ad7140f77528da00668da77b956fd76ef4dd0ba0af550b771a387b2
e4974ddc809773cd725cfc7070ad545ddf4aa1fc211eb77a1eaae7b7fc1a019c
091f6c53a4f73bdac192e08bda0459f5e8af953a3c2b5cdee175677301a8cef5
31a7c6470ae7463e4fb0df44f27792aed63419e03b747b5982fcc26e8011afab
b6247c787ec362f884203a581049a638a59a9db8dc6bac8cb88869a45704dfc9
c69e882c771b1818558a97832a4ffc97db0ca2bdca969abcae1b1b9094123b0b
fed568f2ea01aab915cf34cbae9762d0b6002ae51679980975b9d25f55ae9514
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 1c59295a08ed98b87aef55054ecf4a81747756b8da4f3711341e1bbb24665cc2

Formbook

Executable exe 5354b3a337fe1f19dbbcd98ebbea35e58fd953c86b99cb1678d8f9c849e8d55c

(this sample)

  
Dropped by
MD5 e4351a2a002b898f6a0dd530b5ac08a9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74981/
  
Dropped by
SHA256 1c59295a08ed98b87aef55054ecf4a81747756b8da4f3711341e1bbb24665cc2

Comments