MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5
SHA3-384 hash: 4e6b193579fc7ab55b75c4d8632d96bb57d59a25932627d949f8bdd74e08c07aae96226e5bfdd3a55c1adb7a97733b7a
SHA1 hash: 4e1504045a1db94dfae74a9608d9b02eea8d70e8
MD5 hash: f594f7b8cc6ddcdf4fa4ae86efc55a08
humanhash: johnny-triple-spaghetti-oranges
File name:Banking Details Review_Pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:393'728 bytes
First seen:2020-12-20 07:57:34 UTC
Last seen:2020-12-20 09:34:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:3saj+oguPMI3jIgGGjSzWTBNwv4rAi/jL:3CZ2JSiNcKj
Threatray 3'224 similar samples on MalwareBazaar
TLSH 5184125435ACDBA7DA7E4BF9A014500003F19C7AB402F3D95ED574EE29B2B11CB82EA7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.coacb.com
Sending IP: 145.239.35.58
From: BNC BANK <paycheck@bnconline.com>
Subject: Payment Advice - (Authentification Error) Please Verify!
Attachment: Banking Details Review_Pdf.rar (contains "Banking Details Review_Pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Banking Details Review_Pdf.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-20 08:01:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a52dedca-e0c2-46d9-8ebf-f36494a89344

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108591/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42755.24523.2952.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566941
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332554 Sample: Banking Details Review_Pdf.exe Startdate: 20/12/2020 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 8 other signatures 2->43 10 Banking Details Review_Pdf.exe 3 2->10         started        process3 file4 27 C:\...\Banking Details Review_Pdf.exe.log, ASCII 10->27 dropped 13 Banking Details Review_Pdf.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.laytikes.com 81.17.18.194, 49739, 80 PLI-ASCH Switzerland 16->29 31 oceanupdate.xyz 195.201.179.80, 49736, 80 HETZNER-ASDE Germany 16->31 33 10 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 colorcpl.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-19 06:04:26 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pz2m7rfcmbo7kqg37na5tdjruxwyb4sacfuhabwgqgghfig2wdkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08fa0f706fc396cd5015d07862705016732e3d6e6f3e3178c165a1cd94e1d0a1
Formbook
1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd
Formbook
6b4b7e04b908d027fd811be6d25ceaa5e45eee1628467f686b35ed73bf411a76
Formbook
79292dbee87727fd79dad21b0c2679bb7488ac53bc93d90ec8d3060d746882b1
Formbook
82b0bf0df7b8987197d19071dfda32b037ee3251291b08f6d979749635784e89
Formbook
99c4f75948b26af511bfa055db8d18567a3d662107e35e91102b5576f02acb84
Formbook
b19d067a87767c377a60981192e5edb9256ce11f7d663cdcae2af3d8d0c0c382
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
d4f441c8e41cf4ad4af9097d51214c411b165ab452f5686aa1e71e4073417334
Formbook
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
Formbook
+ 3'214 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201220-7yabps5592/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.workonlinetimallen.com/dll/
Unpacked files
SH256 hash:
1a4f867f7b1fce3874bfd431e31388e35d97203c2d9e52ba379e0a0c11b71f34
MD5 hash:
31b58ae5a625da811043ecdefa93c3e2
SHA1 hash:
170dee458200185da41ec142fb7bab7206a483c6
Link:
https://www.unpac.me/results/50597a1e-51bf-4fae-b8ae-e5562902406e/
SH256 hash:
ffda257750b95b66ced1411d24b59736d3c006dd786e3fce5bf7ce2fb514efdd
MD5 hash:
cfc7eee7d06b2989d568389d2f7d4537
SHA1 hash:
ac74e0d43d6bc04d8e3e4bb5c7849c7bf4b75aa1
Link:
https://www.unpac.me/results/50597a1e-51bf-4fae-b8ae-e5562902406e/
SH256 hash:
27169ffd7443797c58d4fa71f1d3fcf6ef963752c9f086ae33f1061a2a9ef09f
MD5 hash:
ac2e021db43af46a6f45f6f844e5171e
SHA1 hash:
82b1053795d5eda0e48e7a0555f1c89f86fe2ba1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/50597a1e-51bf-4fae-b8ae-e5562902406e/
Parent samples :
7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5
82bce2eb0b0f2675b0ac41f33e8018bad765caeb084cfe7a6035fc4d9ea8f7ec
628367b1e0868b53f1b97ce577a9eeeb1da2ec1e13b60cd9a4a01fad15d5fcef
cf63918e0cb789a778c7eac7c1b5d896db35caa3fa9fd179b95a4101f5856af7
5ae079397458f932dc10cf8b9e9aef020131172e2a0d7dfb43050ff12eb89865
23b82d55e4e538292a0f0b0b3e05fb2dd6405b9f001110cb212f20f838f191ff
SH256 hash:
7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5
MD5 hash:
f594f7b8cc6ddcdf4fa4ae86efc55a08
SHA1 hash:
4e1504045a1db94dfae74a9608d9b02eea8d70e8
Link:
https://www.unpac.me/results/50597a1e-51bf-4fae-b8ae-e5562902406e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 3adc36256c39316d48532b94e503b2756fca27c7a82f218d163b27294f09a616

Formbook

Executable exe 7e74cfc4a2605df540dbfb41d98d31a5ed80f24011687006c6818c72a0dab0d5

(this sample)

  
Dropped by
MD5 0eab6b461c93b623653c791fc1d0f689
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108591/
  
Dropped by
SHA256 3adc36256c39316d48532b94e503b2756fca27c7a82f218d163b27294f09a616

Comments