MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9
SHA3-384 hash: e9e954cdf15985fc1f0160c92379b6b2f0edcc3ab425dfaf6adf9589edda542053f704e370180b661b1d8fb956ac92b4
SHA1 hash: d8331e411afd79a0b492ca9eb054259e7975c07a
MD5 hash: 385b75d2742a03b19975614017193a99
humanhash: hotel-texas-venus-wisconsin
File name:Inquiry from United Kingdom.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:666'112 bytes
First seen:2020-10-13 05:50:21 UTC
Last seen:2020-10-13 07:08:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QO0/6zusHcLeXptEPZ3BnLSr/ke6Gzb39VezdnCb6B4bJdlH:Qlyz0cptgxn4/kzAb3DezdnCbq+b
Threatray 2'451 similar samples on MalwareBazaar
TLSH 42E4D06B33F5AF21E03EDBBD1A60454407F2E886F722D65E7DB911E90193F8217A2613
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: slot0.collinsltd.ga
Sending IP: 204.13.155.158
From: Rob Hodges <info@collinsltd.ga>
Subject: Inquiry from United Kingdom
Attachment: Inquiry from United Kingdom.iso (contains "Inquiry from United Kingdom.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70263/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.842.8512.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489190
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297043 Sample: Inquiry from United Kingdom.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 7 other signatures 2->46 10 Inquiry from United Kingdom.exe 3 2->10         started        process3 file4 32 C:\...\Inquiry from United Kingdom.exe.log, ASCII 10->32 dropped 56 Injects a PE file into a foreign processes 10->56 14 Inquiry from United Kingdom.exe 10->14         started        17 Inquiry from United Kingdom.exe 10->17         started        19 Inquiry from United Kingdom.exe 10->19         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 21 explorer.exe 14->21 injected process8 dnsIp9 34 ghs.googlehosted.com 216.58.207.147, 49774, 80 GOOGLEUS United States 21->34 36 arcustomwork.com 34.102.136.180, 49776, 80 GOOGLEUS United States 21->36 38 5 other IPs or domains 21->38 48 System process connects to network (likely due to code injection or exploit) 21->48 25 ipconfig.exe 21->25         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 25->50 52 Maps a DLL or memory area into another process 25->52 54 Tries to detect virtualization through RDTSC time measurements 25->54 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 02:14:42 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=or2sql6dxawq6ygm6mfluojqhpawzgt2gfbyevqkgag4u4sx3h4q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
Formbook
11892c93ce6ecc668a92bcbb2e618edbc40f87cea8938e2dbe7061cbc6d1f689
Formbook
157ef05047452109ec1552af00806f1469254bc14a5cc942e41180ee82d508a7
Formbook
1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919
Formbook
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
Formbook
3527457b184139953c43be59287281eb8f797e9cc8f3e9d637362276fe4f83a2
Formbook
4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922
Formbook
7543c6fd163cc67f5bf477b5b583bfca5c094e65c6a5d5dea56e3eeb333b1cad
Formbook
a63dfd81e0eb6283bc0051a3c1f80ba0eb818d132aafe5e6a1cc3cd63a3433ff
Formbook
b6bba549cf3117215c67958b942340703dbf010048d3fc7ecea2871d1d4618e7
Formbook
+ 2'441 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201013-l536be1z9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.4kitsup.com/kbm/
Unpacked files
SH256 hash:
7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9
MD5 hash:
385b75d2742a03b19975614017193a99
SHA1 hash:
d8331e411afd79a0b492ca9eb054259e7975c07a
Link:
https://www.unpac.me/results/2f06cc25-f7f8-4066-a479-d113c47af1ed/
SH256 hash:
07f44f7ef092cbb0d9b1b26a399965f105885d56e7109ff190c0c24f7ad5358d
MD5 hash:
f1870b1de25d6a15b70dbbb6777396e8
SHA1 hash:
08e261635339612d7eb06fd7d091d4c0115b1bb3
Link:
https://www.unpac.me/results/2f06cc25-f7f8-4066-a479-d113c47af1ed/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/2f06cc25-f7f8-4066-a479-d113c47af1ed/
SH256 hash:
24bb3144d5d3da460e1858679d9229bf940e6593618ce3469b9b83d9ca3358b8
MD5 hash:
a17ce8c42add488f0ebb4d26e5507244
SHA1 hash:
8ed4f2c6232c277dff4874436558db0563a7579d
Link:
https://www.unpac.me/results/2f06cc25-f7f8-4066-a479-d113c47af1ed/
SH256 hash:
21182c4968d468633c761af3c6a97ceac6577894190091d6147b714270423da3
MD5 hash:
79f2ba9ea3cf6a0192826fc9178c0749
SHA1 hash:
6eac8aaec55f73d657aac0cd69d23803ba227a34
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2f06cc25-f7f8-4066-a479-d113c47af1ed/
Parent samples :
7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9
abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 701d5c21eff2fd19e68b76008fed78882a22fa31821f690d3352680dec311bb7

Formbook

Executable exe 7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9

(this sample)

  
Dropped by
MD5 d9197833d0052302ee3e3cb34a5b94ec
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70263/
  
Dropped by
SHA256 701d5c21eff2fd19e68b76008fed78882a22fa31821f690d3352680dec311bb7

Comments