MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591
SHA3-384 hash: 4d63d1e36d02b92a5de39021fb1c1fd30e2df98193e4ccd8bdaee56b726979b3666b256a19f90194e73e8d8973e607df
SHA1 hash: c66f601898b1dd4733351d353d8f5fed5057ea70
MD5 hash: fe66ad2c4ee97c4bbb4165b904809c1a
humanhash: delta-edward-bulldog-nevada
File name:Factura de clients_0010002345.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:593'408 bytes
First seen:2020-10-12 14:56:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:SGa2Iut3ILS28LOo4LWcXb9bfmySZvDwdF04ykULYw:S4Btr28LaLWYbzAkW
Threatray 2'422 similar samples on MalwareBazaar
TLSH 5FC4F1723B88A712D97DE3BD143110446BF5F1A1EB21E71ABD99409E0A76F48C7B2B13
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vxsys-smtpclusterma-04.srv.cat
Sending IP: 46.16.61.65
From: Administracion <duldi@duldi.com>
Reply-To: duldi@duldi.com
Subject: Factura de Clients
Attachment: Factura de clients_0010002345.rar (contains "Factura de clients_0010002345.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70149/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.1641.22421.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488632
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296794 Sample: Factura de clients_0010002345.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 45 www.keyoil.xyz 2->45 47 parkingpage.namecheap.com 2->47 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 11 other signatures 2->61 11 Factura de clients_0010002345.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\snatPkoG.exe, PE32 11->37 dropped 39 C:\Users\...\snatPkoG.exe:Zone.Identifier, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\...\tmp77E0.tmp, XML 11->41 dropped 43 C:\...\Factura de clients_0010002345.exe.log, ASCII 11->43 dropped 65 Injects a PE file into a foreign processes 11->65 15 Factura de clients_0010002345.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 Factura de clients_0010002345.exe 11->20         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 49 sweetsistersmiami.com 160.153.136.3, 49751, 80 GODADDY-AMSDE United States 22->49 51 www.lilyolivier.com 94.136.40.51, 49758, 80 GD-EMEA-DC-LD5GB United Kingdom 22->51 53 2 other IPs or domains 22->53 63 System process connects to network (likely due to code injection or exploit) 22->63 28 cmmon32.exe 22->28         started        31 autoconv.exe 22->31         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Maps a DLL or memory area into another process 28->69 71 Tries to detect virtualization through RDTSC time measurements 28->71 33 cmd.exe 1 28->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 10:11:28 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbicjpn5mgwqu6ribrbptdej3jkwhqsjr3lwrfy53r2nzijg4wiq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3808406b1791c3ded2f4c0d969e4141d613fc5695d72afe9bc299488d115a048
Formbook
48a5835b51a5221656e9497ca5682a1e232bf1a1da085af917245dc3fad1a241
Formbook
659b0da98e348344d29abb19796211921453463c9a8c61649ef193171ff4a2c0
Formbook
a64ac7715f779b591f789eb4e66a54a8e8a26855a89089ee6e6080f61231a7c9
Formbook
a8d600611bd6dbc3d203d5b4c3af645eb18df5e4710a8bc4fb47b722581eee6b
Formbook
b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b
Formbook
c8741ad3130b95d1df602e99ed65489df788819dabe8907f2a449197e8ba97ef
Formbook
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
Formbook
e132699f63854eb3c66be165867f2cafc37d29a8a3a4ca3c4c6949ed42ddde95
Formbook
f8db8d7d0f7ba777f5f18452579f40a224a055c6624066b5dce501121cc91c5c
Formbook
+ 2'412 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-5f1j2car22/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fullyey.com/mye/
Unpacked files
SH256 hash:
805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591
MD5 hash:
fe66ad2c4ee97c4bbb4165b904809c1a
SHA1 hash:
c66f601898b1dd4733351d353d8f5fed5057ea70
Link:
https://www.unpac.me/results/bb9dec5c-685d-498a-872f-927940c43d05/
SH256 hash:
9b5a5cf1658af3ee3667c09726e02ca7da34a5c16f5654b2d7a0beb87c9f935e
MD5 hash:
d8bd73dedeb7b063b464825add467927
SHA1 hash:
0b59d3ff89b57d0a27deaa3ff233053a5f8b16b1
Link:
https://www.unpac.me/results/bb9dec5c-685d-498a-872f-927940c43d05/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/bb9dec5c-685d-498a-872f-927940c43d05/
SH256 hash:
e8fd81170d88bef404186e86f9818b44dffe54770fd661d4cc3816b1ff9c9e5d
MD5 hash:
89518fd277c2ccd5838568739207872f
SHA1 hash:
5bcd810f81b45290ab8448684817f75443102322
Link:
https://www.unpac.me/results/bb9dec5c-685d-498a-872f-927940c43d05/
SH256 hash:
34522ce646c52c59a01d9403ea5459a8f5189d103d37ffbd02fc516e67e5e555
MD5 hash:
4392a850e700fd05212fa73c49982343
SHA1 hash:
a7ab2d2d2c7c0b3f27bdf9b91eeda94155f1c8cc
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb9dec5c-685d-498a-872f-927940c43d05/
Parent samples :
1a4afa3e1d1087c27e7d4c724a87611f7ed901dffb86943ef05d1015614b0e32
805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591
d8eca36ecff579ceffbd778ab8c8949a94d4967e1c0965988b2a68671f1915ef
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 786936dec0ba7ebc9ee5580fc9309a0f01adb53b6b36daabcd7d8de3e1848e1b

Formbook

Executable exe 805024bdbd61ad0a7a280c42f98c89da5563c2498ed768971ddc74dca126e591

(this sample)

  
Dropped by
MD5 f0748e93c870dfc7d5a1efcf3dc41e63
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70149/
  
Dropped by
SHA256 786936dec0ba7ebc9ee5580fc9309a0f01adb53b6b36daabcd7d8de3e1848e1b

Comments