MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237
SHA3-384 hash: 9a97e0d631b222055d1aded355a4a4a93e20dbacd0ce59116af2bf0c6484b54782b4737c40e326db34b685ba64425a82
SHA1 hash: 7a5633b88f04ba8167c1a2b5a81bc9793ac2d348
MD5 hash: c7c3555d0ac6dc1ea84cc8d74542f3c9
humanhash: alanine-one-east-alpha
File name:Quotation Request(October Order).exe
Download: download sample
Signature Formbook
Create hunting rule
File size:741'376 bytes
First seen:2020-10-21 09:53:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:xX9devSU/KZfO6Edq09u5F0EhAAUxV5dGdjQ/R72xfRbcaiuqgqTMrdNsXK0Mhei:UaU/0fO6ueQxVzSjQ/l2jhiZZyvp
Threatray 2'624 similar samples on MalwareBazaar
TLSH 4CF41298361471EFC41BC532CAA81C24EB226DBB132B8742581737DDA97D94BDF242E7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: astronlighting.com
Sending IP: 103.141.138.124
From: manager@astronlighting.com
Subject: New Order 10-2020
Attachment: Quotation RequestOctober Order.r00 (contains "Quotation Request(October Order).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73956/
Detection(s):
Sanesecurity.Rogue.0hr.20201021-1105.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505567
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 301834 Sample: Quotation Request(October O... Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 33 www.comeongetreal.com 2->33 35 parkingpage.namecheap.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 11 other signatures 2->49 11 Quotation Request(October Order).exe 3 2->11         started        signatures3 process4 file5 31 Quotation Request(October Order).exe.log, ASCII 11->31 dropped 59 Injects a PE file into a foreign processes 11->59 15 Quotation Request(October Order).exe 11->15         started        18 Quotation Request(October Order).exe 11->18         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 20 explorer.exe 15->20 injected process9 dnsIp10 37 kartlly.com 34.102.136.180, 49753, 49757, 80 GOOGLEUS United States 20->37 39 www.kartlly.com 20->39 41 2 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 24 raserver.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 02:45:33 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgh2azq46kzw63ikirbk2il7gzkjum4yw7d2rbogqppaxcezwi3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4ffeba70e305d0d745d9a60fb8a78cc3f161c3fe4a7373c2303be8f095426abd
Formbook
5007dc70fdff0e6a544f49c91da3ce378772cb397cdbb0bb3af33f4acb714add
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
Formbook
967b55e37db72cbc0f7744c0d09f655b1bd9692a75931ba6879130a2c31c41f5
Formbook
9b9d8f51a8cf586b0380629f644676e0dce350466b06224523e01db393522339
Formbook
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
Formbook
d2b880fc3d1f874e31d23a37b38f75ceb1162c21ce895aec8dbec7f9c952f8f2
Formbook
e50ecaa156dcdcfd9144e660470385da6d44e5b1734fd44415cea067fd8b4417
Formbook
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
Formbook
+ 2'614 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201021-52eqvgxays/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.premium-vitality.com/nko/
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/801b4c57-4b4f-4812-8f8e-2ebcfa14307b/
SH256 hash:
a0666a2dfa02c0e673d72557f3943183697bcdcf63de3bb4c786e1a99be0af26
MD5 hash:
9e5b9120c1187172ebafa2a9692889af
SHA1 hash:
cf8bcad87a61264b730adca0a0f8e09fa68c95f7
Link:
https://www.unpac.me/results/801b4c57-4b4f-4812-8f8e-2ebcfa14307b/
SH256 hash:
f5ef937687151af5127054455ff8ddeedba52a73b0da68008f8d2eaa2ba21ee4
MD5 hash:
77b5122a7d7f2d81efc2818c1e089ee2
SHA1 hash:
af448725effefb8ab50cba5fc3775e11effd8569
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/801b4c57-4b4f-4812-8f8e-2ebcfa14307b/
Parent samples :
5007dc70fdff0e6a544f49c91da3ce378772cb397cdbb0bb3af33f4acb714add
967b55e37db72cbc0f7744c0d09f655b1bd9692a75931ba6879130a2c31c41f5
e50ecaa156dcdcfd9144e660470385da6d44e5b1734fd44415cea067fd8b4417
798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237
020f6782cf76a5a4f0fc561da8c503892094137b8e5df112005a31885cdc89ef
caae4001f524c83a5c3c3b7f7a56d3344d9de742eadbfc54bf3e7fda14354392
f50e15e064da178ab886f00bed99a6a96ae3574e5cdd70a08991788818038d11
SH256 hash:
798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237
MD5 hash:
c7c3555d0ac6dc1ea84cc8d74542f3c9
SHA1 hash:
7a5633b88f04ba8167c1a2b5a81bc9793ac2d348
Link:
https://www.unpac.me/results/801b4c57-4b4f-4812-8f8e-2ebcfa14307b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 de135c13a8b94043d1be7478994ac948b85b99635394a6a144397f4a92562222

Formbook

Executable exe 798fa0661cf2b36f6d0a4442ad217f36549a3398b7c7a885c683de0b8899b237

(this sample)

  
Dropped by
MD5 ca8de0272a16d4b1aacd5adaa77a3711
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73956/
  
Dropped by
SHA256 de135c13a8b94043d1be7478994ac948b85b99635394a6a144397f4a92562222

Comments