MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
SHA3-384 hash: e07ce10339a7285764606fde0019a58a71e940451745fc1913fbfa120b23692332e9638645ab4c3b8a618760082f7319
SHA1 hash: 53138f14140eb1c253e7985b8385e3853e5a5ac8
MD5 hash: 4dd9b0d139a7c9618fa5344e6b1387f8
humanhash: april-oxygen-ten-pennsylvania
File name:Purchase Order.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'233'920 bytes
First seen:2020-10-16 12:19:12 UTC
Last seen:2020-10-16 16:11:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:tdbfh8PGaONqv3Dp2E4xGREkcMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMK:vyPGaOgNfREkcMMMMMMMMMMMMMMMMMM+
Threatray 2'479 similar samples on MalwareBazaar
TLSH CE459C41F6519D67CDDF0ABA0E1AC930F3757D499408DA0D2AD83DCF36B6BA026C1E86
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: tzdegree.com
Sending IP: 103.125.191.170
From: Chusui <chusui@tzdegree.com>
Subject: PO FROM ALANTECH CO.,LTD QTTY (PO#7A68D20) 
Attachment: Purchase Order.rar (contains "Purchase Order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71957/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493550
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299225 Sample: Purchase Order.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 11 other signatures 2->49 10 Purchase Order.exe 6 2->10         started        process3 file4 31 C:\Users\user\AppData\Roaming\OtKlDrIky.exe, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\tmp9E6F.tmp, XML 10->33 dropped 35 C:\Users\user\...\Purchase Order.exe.log, ASCII 10->35 dropped 13 RegSvcs.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 2 other signatures 13->65 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process7 dnsIp8 37 www.afterfivekids.com 103.65.237.67, 49745, 80 IDNIC-BSTI-AS-IDPTBerkahSolusiTeknologiInformasiID Indonesia 18->37 39 richardgraycabinetmaker.com 54.209.112.53, 49746, 80 AMAZON-AESUS United States 18->39 41 2 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 24 raserver.exe 18->24         started        signatures9 process10 signatures11 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 02:42:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
60
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooba5g6ydttubifd5rc74edutjsagsvll356wevn5spl6rwa6k5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
Formbook
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
691e25f141a0389dec22a7f9027a57ff7242cd2918f525e3c22e81c863f803c9
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
8899a90e9da2a5de4afe8ba47e95750e95ec17ede7c31557d7a28243b9756364
Formbook
8e4ceb651508d097ba20fbb82af157ea25bc12e32caaf7d02247646e4e3c0629
Formbook
94f3a02a7435ee096c0f5ee7321d8d82ae12826b144bf1c706ebaf6508734450
Formbook
a9675f768840e844de5923c2319cae51ba47ca5eee5c50c58418d274d5985520
Formbook
f010bc0295db81514c87fde7298f3425670ae67f4f24a21f20232a10eb644907
Formbook
fd9f113a78e94fc975ba4e5e940c91395e63b5ea904e7690fbad9f569b6da1b8
Formbook
+ 2'469 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook evasion
Link:
https://tria.ge/reports/201016-p3bnsab4na/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.richardgraycabinetmaker.com/cmd/
Unpacked files
SH256 hash:
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
MD5 hash:
4dd9b0d139a7c9618fa5344e6b1387f8
SHA1 hash:
53138f14140eb1c253e7985b8385e3853e5a5ac8
Link:
https://www.unpac.me/results/ef59d616-429d-480b-8013-49de24d8cb07/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/ef59d616-429d-480b-8013-49de24d8cb07/
SH256 hash:
f15a772a8f6e3637e8863d83a2caf667107f5771d12e8cd16dce163b5ad652de
MD5 hash:
ef338fc6a88e57f5c0fc56b71b24f7ea
SHA1 hash:
d9cda75de569151c5345b9e759f1a6efdd5c8799
Link:
https://www.unpac.me/results/ef59d616-429d-480b-8013-49de24d8cb07/
SH256 hash:
eb67b9a1d91528f03444c7e3b97dd396cc54f83b10ce7e118832a352a9ac0daf
MD5 hash:
c4b32d6cb53557c30f7f364d3126b7c6
SHA1 hash:
2f9a87f3d83136986f94e03da74cd01bf20ceb7f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ef59d616-429d-480b-8013-49de24d8cb07/
Parent samples :
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 2072cd3d9fd6f28828ae99614405945faaa6c9cd64009eee8b82a6e5cbce237a

Formbook

Executable exe 73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba

(this sample)

  
Dropped by
MD5 9dff4a04cfd4910cee8fe2fcfb25417a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2072cd3d9fd6f28828ae99614405945faaa6c9cd64009eee8b82a6e5cbce237a
Cape
Cape
https://www.capesandbox.com/analysis/71957/

Comments