MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
SHA3-384 hash: 913586a13b41749b36dce02d4d23302f3a42a720eb40fba3ccdc7ce767e93d1580aaa3bca59524c4e94135dc78490da7
SHA1 hash: e5270f33d2af8ad78c66983a80efb1d5082c6ca9
MD5 hash: bb9b3a32a77e2bc287348f187dbcb37b
humanhash: double-rugby-green-jig
File name:유티아이테크-발주서 송부의건.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:586'240 bytes
First seen:2020-10-16 12:19:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Gb8DYLn2PdvTdzjM4/KoVWP/wgI7jz9+4SobZAwb:GbbL2Pxh07oVWP459+m9b
Threatray 2'486 similar samples on MalwareBazaar
TLSH D5C4D02423985FA1F47DE3BB20B0156063F9B486E739D7197EE852CE3A65B808723747
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm48.hanmail.net
Sending IP: 203.133.180.236
From: 김순호 <shkim@mijupower.com>
Subject: 유티아이테크-발주서 송부의건
Attachment: 유티아이테크-발주서 송부의건_pdf.gz (contains "유티아이테크-발주서 송부의건.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71958/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493553
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299229 Sample: #Uc720#Ud2f0#Uc544#Uc774#Ud... Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected AntiVM_3 2->40 42 6 other signatures 2->42 10 #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74.exe 3 2->10         started        process3 file4 28 #Uc720#Ud2f0#Uc544...Uc758#Uac74.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.architectural-wood-turnings.com 103.224.182.242, 49744, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->30 32 www.smobz.com 91.195.240.13, 49739, 80 SEDO-ASDE Germany 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 msdt.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 22:59:49 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfrihfiarhehsjcw5nvs7cnbjdpd334zneirllt2vx4nzeynjvfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
Formbook
0d5af6ad459d48db0b27ab6ab4584191097bfc33c4f2475ce1b3a66e523e2bef
Formbook
10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
Formbook
5abc963a4cbaaee6582d5db264da8b2cb0c5a760115047a8df1e629c48dfc6e9
Formbook
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
Formbook
87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e
Formbook
a998850fc7940055baac6f61dde2d0e29836c9386ac87555549eeaa1a9998401
Formbook
af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a
Formbook
b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c
Formbook
bcaf7b4adc919fd5aaae24902b8135e2ad6d13249e9cb784b1532b52e40449b5
Formbook
+ 2'476 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201016-96997hjywx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
MD5 hash:
bb9b3a32a77e2bc287348f187dbcb37b
SHA1 hash:
e5270f33d2af8ad78c66983a80efb1d5082c6ca9
Link:
https://www.unpac.me/results/3b52c0c9-c2df-4124-a97d-79eccdc65ddf/
SH256 hash:
f52ad3e25c8ab9d7847f264ce9c2d548cd75f28adb3a43c9948dc7fb3d179951
MD5 hash:
9df97eb4772aefaa474d1d8fcad04c1c
SHA1 hash:
3db2ec4a959034ae5383115c92584c58770eb63c
Link:
https://www.unpac.me/results/3b52c0c9-c2df-4124-a97d-79eccdc65ddf/
SH256 hash:
ce673ced815e18b9399c14a03324539b458702aaecc1cdfe32cc37f0afe5530e
MD5 hash:
49d6d5a687ed4e1b0a9daa4d4533b8f3
SHA1 hash:
8d8490e3a44b8deb26fd8f14a4974348e2ce2709
Link:
https://www.unpac.me/results/3b52c0c9-c2df-4124-a97d-79eccdc65ddf/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/3b52c0c9-c2df-4124-a97d-79eccdc65ddf/
SH256 hash:
4164f6659ed07c2da64b9c7e619cca31a0342267ad6427a131972809117169da
MD5 hash:
c5c92a39f5f3df155cc00d352750979a
SHA1 hash:
4768e47cb129c16c1f90293778d7efc4afc50c84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/3b52c0c9-c2df-4124-a97d-79eccdc65ddf/
Parent samples :
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
40e302fcbc592e6f845df3a731f3204c3026ebc929d290f77477857a4dccb559
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 7155b8098e0388c01acd57f55b4e475a448389cc050af9da8caf591ce4dd2ba5

Formbook

Executable exe 796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a

(this sample)

  
Dropped by
MD5 6787de37a2a8a4a66e0550f5a72ae8ba
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7155b8098e0388c01acd57f55b4e475a448389cc050af9da8caf591ce4dd2ba5
Cape
Cape
https://www.capesandbox.com/analysis/71958/

Comments