MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6
SHA3-384 hash: 50f9f075bb004e805d76b4cd8b3af0c90ecf54a862f1c17aac9d96663e9cbb5238abd9dcb3eb8b50f2237ac59b000769
SHA1 hash: f426763eaba66a002762a659872d503bf36f4de2
MD5 hash: 1f88d865877a56698964e7b6aec10944
humanhash: seven-spring-michigan-quiet
File name:Receipt_007876.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'040'384 bytes
First seen:2021-03-16 10:21:57 UTC
Last seen:2021-03-16 11:42:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:dxfouKlSESIdRBG9+93je32cCa/AC5lDd+/Dcl7+CRS8zdzd1:dCaIdRBjdsAC5ZdAm7Nlt
Threatray 4'190 similar samples on MalwareBazaar
TLSH 35257A21F694AB70F03973764432033183FDAD069626E6BE7D4871DA4975AC186F3EB2
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.steelpipeskzn.com
Sending IP: 89.45.4.134
From: DHL EXPRESS INC <srp@rolberman.pw>
Subject: Delayed DHL Shipment Reciept
Attachment: Receipt_007876.pdf.iso (contains "Receipt_007876.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Receipt_007876.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-16 10:28:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/227e158f-0dfd-454f-b65a-10dc0acc05c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis1F88D865877A.3830.17307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ab6661c-1c6f-4da0-b997-6eb9f0da255f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640560
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369254 Sample: Receipt_007876.pdf.exe Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 30 www.syxy777.com 2->30 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 9 other signatures 2->44 11 Receipt_007876.pdf.exe 3 2->11         started        signatures3 process4 signatures5 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Injects a PE file into a foreign processes 11->56 14 Receipt_007876.pdf.exe 11->14         started        17 Receipt_007876.pdf.exe 11->17         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 arabemiratetour.com 184.168.131.241, 49730, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->32 34 www.www-kraken-app.digital 19->34 36 2 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 raserver.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 08:55:59 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oayxbullfaegsndtpjduaohwezkplfpr6wzqwaivqbqyoarndx3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
Formbook
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
Formbook
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
Formbook
6aca638f8c9405c4c02bb3f2b5f5e5bc9d5596f8c68a57fb99347031415b584b
Formbook
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
Formbook
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
Formbook
988d84650b91424e291cb84ef84433cbd4214622365b226d925d71ffda0bccb8
Formbook
9dac57302e2261a1a3c6a665d3960525b27fb70a1fd6b1e135a3e72f11c6f3e6
Formbook
adcc2671f1168261ceace2da6f28a79e0b3bc2f774fac1d79f4628f494951d24
Formbook
b12941d367baf1228f6d262c4696b267cd1d36e600742aaf1fee00582fe1ea07
Formbook
+ 4'180 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210316-bxtdg4rebx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sakkerhet.com/l80/
Unpacked files
SH256 hash:
2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655
MD5 hash:
b7159eb14fe565d4e233604b629bbd8a
SHA1 hash:
64f82c67e6c7cbc078141162a49bffcee3d9ebb9
Link:
https://www.unpac.me/results/89ab7fa1-bae6-49c1-88ef-247bc783f0c1/
SH256 hash:
703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6
MD5 hash:
1f88d865877a56698964e7b6aec10944
SHA1 hash:
f426763eaba66a002762a659872d503bf36f4de2
Link:
https://www.unpac.me/results/89ab7fa1-bae6-49c1-88ef-247bc783f0c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 4538157040dd9ec8956382843291808c24b3441f4adb4db6b5b9dc015cc01c02

Formbook

Executable exe 703170d16b28086934737a474038f62654f595f1f5b30b0115806187022d1df6

(this sample)

  
Dropped by
MD5 c624ab007b8dc7111ca4ded4ac0aa536
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4538157040dd9ec8956382843291808c24b3441f4adb4db6b5b9dc015cc01c02

Comments