MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b
SHA3-384 hash:	8876d6cdc06251e79b811c9347ca564f1386f095464befb45375c40028c21a003188e9dafc38102554e70052c5c92601
SHA1 hash:	f76dc23da1d8ac882edfee4d2f07bb48f00dd17c
MD5 hash:	12992accec225e9f9698c02a93180bf7
humanhash:	queen-spring-uranus-east
File name:	New Purchase Order 50,689$.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	546'816 bytes
First seen:	2020-10-10 06:53:13 UTC
Last seen:	2020-10-10 08:05:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:fldpPHGeY/q93ZE41BpSt+l05X8JaPomU5J1nM+:FOE9ObECi+hUJj
Threatray	2'380 similar samples on MalwareBazaar
TLSH	D7C4230197DE5326D63E1BF8A7B4617003B6C40B65A6F72D0E75B9D3BCA23938952703
Reporter	abuse_ch
Tags:	exe FormBook Yahoo

abuse_ch

Malspam distributing Formbook:

HELO: sonic313-56.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.185.31
From: Remia Fomitche <fomitcheremia@aol.com>
Reply-To: Remia Fomitche <fomitcheremia@aol.com>
Subject: Re: Purchase Order Details
Attachment: New Purchase Order 50,689.rar (contains "New Purchase Order 50,689$.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69701/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/487413

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-09 16:33:44 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o5brs7dr6he24nemvhkzjbahagbvsqiar2tyjxxph3wdfm54onfq._file

Verdict:

malicious

Label(s):

formbook

Formbook

0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004

Formbook

1277fb7fda4e11d5c61a6c07df4af7712070f01e002d54683c879c23e739519f

Formbook

215d70c6d51b2b66a89f0c3a6ea7f5ccf2801b57dd1709b2ff935b518ce40ca2

Formbook

2f643214a404b795accc39e864fa47ec2894ba8d87b85f28d4521a7520bf0888

Formbook

3d7664dcebcb7d20b25a6890a6697a2a293239ea13f00695722d1dce023c8cb6

Formbook

7d7edb74ec4a4b30b75d0337169be83d230a384ba2bb9597c626aaeadbef8048

Formbook

88d485f91575565bbb932071c23911a6899478490ab2b729bc96bbd19327b2c0

Formbook

9528c2cff0a659892959e295c2a7e9661a9dcee51bc2e3015e73b4d25b37f135

Formbook

d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b

Formbook

+ 2'370 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201010-4bcp9rs5je/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.touchtoby.xyz/eao/

Unpacked files

SH256 hash:

7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b

MD5 hash:

12992accec225e9f9698c02a93180bf7

SHA1 hash:

f76dc23da1d8ac882edfee4d2f07bb48f00dd17c

Link:

https://www.unpac.me/results/4b45f718-abb6-44d7-bc17-cd440d2ce1ba/

SH256 hash:

607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b

MD5 hash:

a90baadadf904455325f7bc787185c7b

SHA1 hash:

7d833bb819d638008c98be469b05db2feaf201cd

Link:

https://www.unpac.me/results/4b45f718-abb6-44d7-bc17-cd440d2ce1ba/

SH256 hash:

5e99abde549a7cd10031aba5406b540612e919d024417eeb50c3bdf908a7a7cb

MD5 hash:

328a62a6dde7225f0f2232c6d1f7c2d4

SHA1 hash:

f2278c72a789ccfa59da9acb952f4e919cd22ad8

Link:

https://www.unpac.me/results/4b45f718-abb6-44d7-bc17-cd440d2ce1ba/

SH256 hash:

efd0f2abc20fb62394f63208f97c501d0feb625b3e69fa6e177d9dd0d3c7a4c8

MD5 hash:

0ce63e59a69c42e59a610c2d774f852e

SHA1 hash:

0f001b240d96471f0ccac3ce1369122476370163

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/4b45f718-abb6-44d7-bc17-cd440d2ce1ba/

Parent samples :

9528c2cff0a659892959e295c2a7e9661a9dcee51bc2e3015e73b4d25b37f135
215d70c6d51b2b66a89f0c3a6ea7f5ccf2801b57dd1709b2ff935b518ce40ca2
7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b
c5a3dbe60ff325c179eaccd5731fac2bf328022dca3c42ad847108dadf54481b
557e3c6a577287caee9f2224e8ef8455d4501f7d99c4ae818dd4d8aa268ed495
da625c254e8607b0fdcde2ec95e4ecfd1822cfe736d3d9d48c5795e928fb6b7f
27c9bdfa6cc8c9343b507ee1df148482028afcabda152e356feabd28ecd67eb5
31a90420f266f02ae50a6a3603ea81461fa26baae094e00448aadc569c8f7dad
21ac6b3466ff131a75cea134baddd37412fa73bb5b8697aad76a719346a14648
95cf775c4ff8b1fbaa88f99cf6148cfae8116b5258169dc1bf0dbae42a60f1f1
1aa1c6c264025cc567e70f6ca867a0c6618bd2eb2ec3312730c68a41c0d7e076
a5101910da7817c72ebc45da2ee45900f306a86edc039c9072f6c1e890da6628
d5600a0e6b9fcb8482f7ebd1fedf3f814fbabbbec89773ad612da18385fb5a3b

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar ec1f066d313143220eb12abb23af311e4959685d564add3db0cd907c47e40eaf

Formbook

exe 7743197c71f1c9ae348ca9d594840701835941008ea784deef3eec32b3bc734b

(this sample)

Dropped by

MD5 72af61b658285b49cfc06ecddcd47b12

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/69701/

Dropped by

SHA256 ec1f066d313143220eb12abb23af311e4959685d564add3db0cd907c47e40eaf

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample