MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
SHA3-384 hash: 3cc1e7a975ac9f3f5f9dd458ce54535226c3dc5f38b451fd436ea24da693dc998f7811c192da527b43d2cc935b137b98
SHA1 hash: fbfbb81c8e0e6ab112f3218dbf5eb86a37ba431e
MD5 hash: a09c9e8a90a5870226814aef19815c9f
humanhash: tango-dakota-butter-wyoming
File name:WoolWorths Exclusive Gift Voucher.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:968'704 bytes
First seen:2020-10-23 06:56:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:evLULQicZCQZ4viOBPNIl7GFA3540KGu54afXR6xh0+ErauGW7VrJ:eL/k84viAk7GFv0KBXR80lzr
Threatray 2'635 similar samples on MalwareBazaar
TLSH 0F25AD0231D5CF44D9BD5BF9D51858F14BB6BC6ED22AD18B1D927CCE34B2B006A1AB0B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: saxamarketing.com
Sending IP: 199.217.115.34
From: noreply@woolworths.co.za
Subject: You have received a WoolWorths Exclusive Gift Voucher !!!
Attachment: WoolWorths Exclusive Gift Voucher.pdf.gz (contains "WoolWorths Exclusive Gift Voucher.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74949/
Detection(s):
SecuriteInfo.com.ArtemisA09C9E8A90A5.3726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507821
Signature
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303036 Sample: WoolWorths Exclusive Gift V... Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Yara detected AntiVM_3 2->41 43 7 other signatures 2->43 11 WoolWorths Exclusive Gift Voucher.pdf.exe 1 2->11         started        process3 process4 13 WoolWorths Exclusive Gift Voucher.pdf.exe 11->13         started        signatures5 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process6 dnsIp7 29 dstresscafe.com 162.241.219.188, 49736, 80 UNIFIEDLAYER-AS-1US United States 16->29 31 ilcampervino.com 195.110.124.133, 49743, 80 REGISTER-ASIT Italy 16->31 33 5 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 msdt.exe 16->20         started        signatures8 process9 signatures10 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process11 process12 25 conhost.exe 23->25         started        process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 04:56:51 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ou4jgg5nc5rmitinm3vhgcr4u3c2zmmngjxtul2376q7qgdegvha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0713f11756d56d7b064989ad057ab768f0cbef644ee45b96f1ef2a9daefd0eaa
Formbook
0c3afc73b1560d5d817104a616325e9f7a825e6b0158dfa0469b423c8bfbdf64
Formbook
143848b6d47c7c571df87a7dee1892aa571b94fca0d9d60c6b7a2141f644950a
Formbook
1a96662a743a681756e4ae5ed7a3d259cca5a50725413698c1769939a950b455
Formbook
205522a02f43a8477a1ed81ea1dff4f5b914afbc01f68ac082e5bf76d73fe8b2
Formbook
37fa0d1153831bdf8c08560d18a83afc2ccede848883819536eb81497c63229f
Formbook
6fb6937cf1cdf0d1c89ba807e43754a2d06754cd820992dc0b91cb61540cf547
Formbook
7843242690547cf0b4ebea118783c903b99c3a211f1775db3cf24b09fbe2454a
Formbook
b7f9546fa9fb928d856b69a70174d693a84c641ad193e88e48c07cdb92751e03
Formbook
e3bdb2a06e43b09073cebd4f7a7fe633d45d1c6d149885f7b815cc591fe3b453
Formbook
+ 2'625 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-ba17levtva/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mxmsportsgear.com/dfr/
Unpacked files
SH256 hash:
de334bb03ca82f2f9ff35170ebe95872ec98b544e847d2c278ac03e801a1076f
MD5 hash:
6051bc836ff9eb1144b402bd79a78cf9
SHA1 hash:
1198f97d13ab82a00b8069095812852fe8352916
Link:
https://www.unpac.me/results/4e8cdb33-ff28-4fe2-b00f-b6299978247a/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/4e8cdb33-ff28-4fe2-b00f-b6299978247a/
SH256 hash:
5471221d05c4363d2dcb8eea16133e78c54b0ae1d9169cc7d8d75df8a71658b1
MD5 hash:
884036c323f9ac728697f9b8449f17cd
SHA1 hash:
65eaa89e5651c5d1301f940898ebb5d184fcec9a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e8cdb33-ff28-4fe2-b00f-b6299978247a/
Parent samples :
205522a02f43a8477a1ed81ea1dff4f5b914afbc01f68ac082e5bf76d73fe8b2
37fa0d1153831bdf8c08560d18a83afc2ccede848883819536eb81497c63229f
0c3afc73b1560d5d817104a616325e9f7a825e6b0158dfa0469b423c8bfbdf64
b7f9546fa9fb928d856b69a70174d693a84c641ad193e88e48c07cdb92751e03
7843242690547cf0b4ebea118783c903b99c3a211f1775db3cf24b09fbe2454a
7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
SH256 hash:
7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
MD5 hash:
a09c9e8a90a5870226814aef19815c9f
SHA1 hash:
fbfbb81c8e0e6ab112f3218dbf5eb86a37ba431e
Link:
https://www.unpac.me/results/4e8cdb33-ff28-4fe2-b00f-b6299978247a/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 3e2b1735fb64a691cd058356595f5cef0635a12441c77ab42edbb6832f770be2

Formbook

Executable exe 7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e

(this sample)

  
Dropped by
MD5 9d8162b1af94c8cd421d34dfd990be43
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74949/
  
Dropped by
SHA256 3e2b1735fb64a691cd058356595f5cef0635a12441c77ab42edbb6832f770be2

Comments