MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a2020b3037513acb7c1bf54ba37376e3e8d04a047b97a2b035c12125e6c3ff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a2020b3037513acb7c1bf54ba37376e3e8d04a047b97a2b035c12125e6c3ff3
SHA3-384 hash: fbc76a5014282a844c0cde066888200435f4d8c7e809a279180541f5f594ffd76c7ba62c1dc884e75fb9a0562a387d54
SHA1 hash: af8c7195c2e0353713fadf459309816f7b204f94
MD5 hash: c4277372cfc4410d55fb136613f75518
humanhash: virginia-floor-red-october
File name:Purchase Enquiry.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:540'160 bytes
First seen:2021-02-11 10:22:36 UTC
Last seen:2021-02-11 11:59:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:svv0/iei9k8mOalFu027X1mTVwo+kWHpONRMCvlCwWRMomXYP6l/0H2a8CE8IC1S:C8Zi970HR+hENRpQwMMo8sYf4iR5Z
Threatray 3'821 similar samples on MalwareBazaar
TLSH 98B401291F5C9E46D66D3FBC0EB1D22423FDE6112A25C306EFE93DCD2931F9A9940294
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: tirdonics.us
Sending IP: 172.107.194.103
From: sales011@tirdonics.us
Reply-To: sales01@tirdonics.us
Subject: Enquiry from Tridonic Inc
Attachment: Purchase Enquiry.zip (contains "Purchase Enquiry.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Enquiry.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-11 10:31:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9638169-56f7-4b1f-9c19-56ff01aa5051

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116799/
Detection(s):
SecuriteInfo.com.ArtemisC4277372CFC4.5199.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605688
Signature
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351880 Sample: Purchase Enquiry.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 9 other signatures 2->43 10 Purchase Enquiry.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\Purchase Enquiry.exe.log, ASCII 10->27 dropped 13 Purchase Enquiry.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 medicareworldnewsreport.net 34.102.136.180, 49709, 80 GOOGLEUS United States 16->29 31 www.initiationpodcast.com 103.67.235.120, 49713, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Philippines 16->31 33 8 other IPs or domains 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 cscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a2020b3037513acb7c1bf54ba37376e3e8d04a047b97a2b035c12125e6c3ff3/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 10:38:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=riqcbmydouj2zn6bx5klunzxny7i2bfai64xukydlqjbextmh7zq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01d1722f7b547ae7024d2cb81993305f9d6aca06a1a3a32d230f9f630579327e
Formbook
28a122178f71a0ca434c0a957eb604f00c62255a49a38a07a3ca0e936112b069
Formbook
41f081bd505403ec94e9ad6cf6e496e5347482ee8cc64b7e2304ca52f286e236
Formbook
4cd5fc82f7d1094ebe188a372dd682d24083ea423f0b49a057cfacc0af849ac4
Formbook
8cc59465e09b47aa8c0fa9f06198c9a2e8a94eec0b7bf7c7e63cf1f972f6e88a
Formbook
98be979a6ee314a1829acd3d33744d9caf8fe2c871d6b73d3771c76c09584387
Formbook
a026f6e6988f126a35bb044b7215fa5fb20a41a3b3bac722bfb7f53e670cc0f4
Formbook
c3d490568e73f61c86d2d4c01e170bdcf3c0d3eb5e309ff3d3fb808a4a867a54
Formbook
cf6959fe2bb4c2e078a8bb51c097dfd79bc0ca5cd296090a897ecb30a3ee6102
Formbook
e16e2748ad4a210f438886c9a564feb8e43e3f1396446fbcdda1512a648955d0
Formbook
+ 3'811 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210211-n7vbvpayhs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.triumphantlytransformedbk.com/pep/
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/8773579a-b7a7-4749-8803-414e36e21247/
SH256 hash:
8a2020b3037513acb7c1bf54ba37376e3e8d04a047b97a2b035c12125e6c3ff3
MD5 hash:
c4277372cfc4410d55fb136613f75518
SHA1 hash:
af8c7195c2e0353713fadf459309816f7b204f94
Link:
https://www.unpac.me/results/8773579a-b7a7-4749-8803-414e36e21247/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 4fa3305718888d3c7042fa951a23b53e4b17e7ee2648d1d0345175b5da6e7567

Formbook

Executable exe 8a2020b3037513acb7c1bf54ba37376e3e8d04a047b97a2b035c12125e6c3ff3

(this sample)

  
Dropped by
MD5 69a25f91be7ab00e7b434cf1f0c67d85
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116799/
  
Dropped by
SHA256 4fa3305718888d3c7042fa951a23b53e4b17e7ee2648d1d0345175b5da6e7567

Comments