MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5864ae2b93c0ee29d29323151d1000df53cd3edca13b653e3b560871539ab384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5864ae2b93c0ee29d29323151d1000df53cd3edca13b653e3b560871539ab384
SHA3-384 hash: 4a10ae2903da0426956ae70b6ea89fc619cfb936cbb2007f8ad0d8c1f103098e51a233acdc4111d0805ed70736167e3f
SHA1 hash: 1d84cdfd8af867e0e4eedf23abf2c4a2141c9e70
MD5 hash: 7113435f02191582860b2e04958866fe
humanhash: crazy-orange-rugby-vegan
File name:NP9K0ul0jfgmTjl.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:948'224 bytes
First seen:2020-10-27 10:33:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:+F9M0Xn8VKVWyEF6FNoz7qNw2dY2oMY2xH:mM0Xn8VKVWMcqaqvx
Threatray 3'419 similar samples on MalwareBazaar
TLSH 5C1519567A909910F16A323BC36A821847F4AB502693D333FDFF33AB0D17B6A79049D5
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: dlveltex.co
Sending IP: 111.90.140.219
From: Zhou Michelle <zhoumichelle@dlveltex.co>
Subject: Attached selected items and confirmed copy of Order and Sales Contract Draft for your reference.
Attachment: NP9K0ul0jfgmTjl.rar (contains "NP9K0ul0jfgmTjl.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79819/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513352
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305804 Sample: NP9K0ul0jfgmTjl.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 10 other signatures 2->48 10 NP9K0ul0jfgmTjl.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\Roaming\aKKHlVxY.exe, PE32 10->32 dropped 34 C:\Users\user\AppData\Local\...\tmp2D6C.tmp, XML 10->34 dropped 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 14 NP9K0ul0jfgmTjl.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 36 www.smmov.net 101.36.120.233, 49769, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 19->36 38 parkingpage.namecheap.com 198.54.117.210, 49770, 80 NAMECHEAP-NETUS United States 19->38 40 4 other IPs or domains 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 25 cscript.exe 19->25         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5864ae2b93c0ee29d29323151d1000df53cd3edca13b653e3b560871539ab384/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 02:50:39 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lbsk4k4tydxctuutemkr2eaa35j42pw4ue5wkpr3kyehcu42woca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14a46421d1c74515cbc85882822852abdd7272b66d2e42138a6d671f20d2f517
Formbook
3459d3a07659440f0e31b4b59a53a6ed78914d64a467cab3dcd05de1555c1488
Formbook
3904b8ba4d99b9e8d8b75af02e5d6de0153ef59e5f03d9b30319acbe625ff986
Formbook
3ba3652f91657ae971efd9b9f9b6e6ebee6dbe4e23c2837825d21c7bd7997aac
Formbook
5f660b3ade2f06e699063a8ea77f25509dc4ea949bb8b590fefe22d94b70bbed
Formbook
875733983c836e29d29a21fd994b28be1b379540eab625d440e0b1f83a581a12
Formbook
b996922b219a28e3e73b7fcd375c012315b2327ba851109df3a9f3e5c884cbc4
Formbook
bdda7b20a2773900ed2a046e25bbb583c906e818c355b3de59b0ff75e1f40780
Formbook
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
Formbook
f3fea4d5b45c459fa620ad00645b17375d5aac10e35e4d6e5384532a124f51a6
Formbook
+ 3'409 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201027-vmjtlszpnx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sgssts.com/g456/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 510b45183d1b7d31ec16a9a110b5b0aa4eb831d03588e8c25c831ac49ae44479

Formbook

Executable exe 5864ae2b93c0ee29d29323151d1000df53cd3edca13b653e3b560871539ab384

(this sample)

  
Dropped by
MD5 2837877aae502ecdd8d6af875db6b43a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 510b45183d1b7d31ec16a9a110b5b0aa4eb831d03588e8c25c831ac49ae44479
Cape
Cape
https://www.capesandbox.com/analysis/79819/

Comments