MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec
SHA3-384 hash: 76199f6dd5ae73e9d5dc34851334a953f3835f2deb6dae48293a85189094dbe70b89f4726b786428c54519934403ea44
SHA1 hash: f56d5e10c732ca7adc7013132809c77da54a2b66
MD5 hash: 88c352fb8afc0d8bc3cad4133ffcc8e1
humanhash: ten-cola-burger-michigan
File name:PROOF OF PAYMENT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'059'328 bytes
First seen:2020-11-18 12:51:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:pM3+tzmlRu1wKV5Uogu/bt8LFUcc6+qHfRDQmL30q0d5mgrqatOsirnw+3K1Ykbm:p2+tzXvz/x8J+q/NL301XqatOsirnJ
Threatray 2'969 similar samples on MalwareBazaar
TLSH E835F5BC361175DEC96BCC76CAA82C64EE60247B930BD607A01705EDAA0DA97CF145F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.gredty.tk
Sending IP: 23.254.247.5
From: accountdept@mweb.co.za
Reply-To: don4eyo@gmail.com
Subject: PROOF OF PAYMENT
Attachment: PROOF OF PAYMENT.IMG (contains "PROOF OF PAYMENT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.27540.11326.18176.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541053
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319630 Sample: PROOF OF PAYMENT.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 36 www.vvtsoul.info 2->36 38 vvtsoul.info 2->38 40 4 other IPs or domains 2->40 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 7 other signatures 2->50 11 PROOF OF PAYMENT.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...\PROOF OF PAYMENT.exe.log, ASCII 11->28 dropped 14 PROOF OF PAYMENT.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 fantamoda.xyz 93.89.226.17, 49765, 80 TR-FBSTR Turkey 17->30 32 brilliant-technologies.com 205.144.171.175, 49776, 80 ST-BGPUS United States 17->32 34 16 other IPs or domains 17->34 42 System process connects to network (likely due to code injection or exploit) 17->42 21 ipconfig.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Tries to detect virtualization through RDTSC time measurements 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 10:23:56 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqzjpkl2pc2di4ycxxwsrqmxo76fu53r6xbaxacczowd4c5k37wa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
048a4bdb5c21a62e9028370b06b2804aaeb3b85b2446f5c47ff3fb3e7f676be8
Formbook
15c7df3fd38078bfe8814c09bc69279c91ae32fc7178912998b6eca91f4d82b8
Formbook
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
6499e8029a2f0db6a6a601d425217cd6bf076fe96accdce24fe042b24001bc8f
Formbook
a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4
Formbook
c2ed9a707bd10d4d9d9291d1fd7bc7316d8a80f846b6263c800ff89885641e37
Formbook
d1b84326aa58802176aeeceda99665ab3455f07aeda472c8605718908683adf0
Formbook
e0f3cc45f5f9d758b91fc99dbc5b838e8658fa28bad234825318e18d11806681
Formbook
f4e7a822d33c454237c1d3d8352ca27953875dafcc0bb13ec52c649a8e0e9535
Formbook
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
Formbook
+ 2'959 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201118-ey73krp1g6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Modifies service
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.brilliant-technologies.com/mua8/
Unpacked files
SH256 hash:
b2fe99a50b1da523c04c70e699991571eb41db9856e9adcfd54254e1b46287cc
MD5 hash:
f4172fbe7b8ba3fe69c15159521b8827
SHA1 hash:
2a825ee7da155318c3b82350d654721271f92e22
Link:
https://www.unpac.me/results/bd2f061a-6113-4ffa-8d47-5f4ba30924db/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/bd2f061a-6113-4ffa-8d47-5f4ba30924db/
SH256 hash:
e83a108f4a0ddf08e87da9ebe195feb35fd63ed4cf75126ee180acb94d308c03
MD5 hash:
6e00feab2b76f07752fb8c25cb08fa77
SHA1 hash:
86f2f19a00672469c6aee13ce7400dab25a220c0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd2f061a-6113-4ffa-8d47-5f4ba30924db/
SH256 hash:
543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec
MD5 hash:
88c352fb8afc0d8bc3cad4133ffcc8e1
SHA1 hash:
f56d5e10c732ca7adc7013132809c77da54a2b66
Link:
https://www.unpac.me/results/bd2f061a-6113-4ffa-8d47-5f4ba30924db/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 9c4656ba0f3dcd7ceed54c6da324ea9b783f8f5f5e9306ea5be9b38e2deb23e6

Formbook

Executable exe 543297a97a78b4347302bded28c19777fc5a7771f5c20b8042cbac3e0baadfec

(this sample)

  
Dropped by
MD5 a423ae56f2efa98e716291be24f33871
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9c4656ba0f3dcd7ceed54c6da324ea9b783f8f5f5e9306ea5be9b38e2deb23e6

Comments