MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
SHA3-384 hash: a47e33bf40156ed2475b9550390a6489854b1bdc381f770efca8b3d0e9471779eb1ca715efadb0c34f69ce57901e6280
SHA1 hash: 1b2eff4fc760006072f3bb1d7dc287e0b40583b8
MD5 hash: 809821f4f656d8fc7812fb3f2dcc70a3
humanhash: victor-lemon-cold-lion
File name:purchase order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:927'232 bytes
First seen:2020-10-19 10:03:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yllRKGYN+cs9A1GKZHNYPzodzUNPg+9QaJTC6GzUYZSlO2wu5i/P:Z0A1GUKzodzWVBe6GT8wu5i/
Threatray 2'552 similar samples on MalwareBazaar
TLSH 4F157B1523F80B09F57B97F5962850408BB67A9A503ED25C7DCD31DE9FB2B010AA3B27
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: aaturkgroup.com
Sending IP: 103.125.191.170
From: sales@aaturkgroup.com
Subject: PO FROM ALANTECH CO.,LTD QTTY (PO#7A68D20) 
Attachment: purchase order.rar (contains "purchase order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72857/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.3441.11574.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495192
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300052 Sample: purchase order.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected AntiVM_3 2->40 42 7 other signatures 2->42 10 purchase order.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\purchase order.exe.log, ASCII 10->28 dropped 52 Writes to foreign memory regions 10->52 54 Allocates memory in foreign processes 10->54 56 Injects a PE file into a foreign processes 10->56 14 RegSvcs.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 ghs.googlehosted.com 172.217.168.83, 49758, 80 GOOGLEUS United States 17->30 32 thecoldspoon.com 34.102.136.180, 49759, 80 GOOGLEUS United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 NETSTAT.EXE 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 06:11:36 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlajh4bbpacxaoswgrnbpsvxd4g2jow56ivdqb2xatinjuullqua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
41e247af1c9e83534cd1a251b618432759435c3f9c9dfd2c8760f712a6ccc5a4
Formbook
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
Formbook
73c2d8d44daa16a7b406b82cd5201483ae40404037e7a543ad91689cbced81ad
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
a9675f768840e844de5923c2319cae51ba47ca5eee5c50c58418d274d5985520
Formbook
b8e4dfdddae3c40ef710797605631573fe5689ae296637a411a88f8f3c1d7389
Formbook
bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Formbook
d99b374a5972bbdeb57de9c8a41cc6b8c3f8928916151a40257967baa855917b
Formbook
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
Formbook
+ 2'542 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201019-rn49eeb1rn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.richardgraycabinetmaker.com/cmd/
Unpacked files
SH256 hash:
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
MD5 hash:
809821f4f656d8fc7812fb3f2dcc70a3
SHA1 hash:
1b2eff4fc760006072f3bb1d7dc287e0b40583b8
Link:
https://www.unpac.me/results/cf86bf0b-bd36-4112-a2b3-3d87330c8662/
SH256 hash:
7ced8c2653e2499f9a758779feab33bfac08aecfd46e5025649d77905fb3b6c6
MD5 hash:
a0740483b414eafc5f27117ae0515037
SHA1 hash:
b22a77c330c2c614f91a6c9911e557731ee1736a
Link:
https://www.unpac.me/results/cf86bf0b-bd36-4112-a2b3-3d87330c8662/
SH256 hash:
a0f9278f5cbbda83db8bfb6b17e8e859b3f58d7accd21c560934b3712b97bcdf
MD5 hash:
04d40660ac96d0b0c04aea038b379c79
SHA1 hash:
d4c5caf248b0c44732d71b6676e64fc928e50f35
Link:
https://www.unpac.me/results/cf86bf0b-bd36-4112-a2b3-3d87330c8662/
SH256 hash:
eb67b9a1d91528f03444c7e3b97dd396cc54f83b10ce7e118832a352a9ac0daf
MD5 hash:
c4b32d6cb53557c30f7f364d3126b7c6
SHA1 hash:
2f9a87f3d83136986f94e03da74cd01bf20ceb7f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cf86bf0b-bd36-4112-a2b3-3d87330c8662/
Parent samples :
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 56a3547e1bc1bb2c9fa96e7b2d49dd8576199aedaf67e12c925c976af22007f4

Formbook

Executable exe 62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28

(this sample)

  
Dropped by
MD5 62f4e72bbed6b5984c14693111bd84b7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72857/
  
Dropped by
SHA256 56a3547e1bc1bb2c9fa96e7b2d49dd8576199aedaf67e12c925c976af22007f4

Comments