MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
SHA3-384 hash: 6170e383ab78e0a7eec919ad3660331d57823f90058321b014cff538f2cd3c866a516a2f0e5251d479a1097399e185fd
SHA1 hash: ae495a1e8a73782bf230e13c236f29f8014ead89
MD5 hash: 957f36fdc73e2f696761e49bf541fc45
humanhash: sodium-king-eighteen-oregon
File name:TT copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:889'856 bytes
First seen:2020-10-23 06:55:58 UTC
Last seen:2020-10-23 14:42:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qonUL0icZC9Z4viOBPNIl7GFmHOJc1Lv7UWJG8Q0P0CYwEqKI1r:xfkD4viAk7GFWOGV4Wv0CYwnKu
Threatray 4'302 similar samples on MalwareBazaar
TLSH 1D15BE0161A4DF01D2BE5BF4E42859F15BF93C6AE92ED28B4DA27CCE3972F005A52707
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: sharp.co.kr
Sending IP: 103.125.191.170
From: jy_lee@sharp.co.kr
Subject: 50% advance payment
Attachment: TT copy.r15 (contains "TT copy.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74948/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop14.7038.4425.27760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507829
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303039 Sample: TT copy.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 37 cdn.onenote.net 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 6 other signatures 2->51 11 TT copy.exe 4 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\tmp5401.tmp, XML 11->33 dropped 35 C:\Users\user\AppData\...\dtNRpwNzCdy.exe, PE32 11->35 dropped 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Injects a PE file into a foreign processes 11->65 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 2 other signatures 15->73 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 39 breadpdq.com 34.102.136.180, 49752, 49759, 80 GOOGLEUS United States 20->39 41 www.adanacatering.com 216.250.111.41, 49734, 80 DXTL-HKDXTLTseungKwanOServiceHK Hong Kong 20->41 43 6 other IPs or domains 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 26 netsh.exe 20->26         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 26->55 57 Maps a DLL or memory area into another process 26->57 59 Tries to detect virtualization through RDTSC time measurements 26->59 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 05:05:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqui7vykgvzhyfxgndkj4hriszgtnjtyatqjxztdxsu2ttvovs2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d6b4c596e189a78ffd872bffe908aaf27f74f6c36dddfd50b517f9155c0938b
Formbook
2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
Formbook
4ffeba70e305d0d745d9a60fb8a78cc3f161c3fe4a7373c2303be8f095426abd
Formbook
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
Formbook
6afdf988f38a02447ffad2ceb849ccb524dc16e984ef5c92136bce88c156ef9d
Formbook
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
Formbook
a9cd7338be974197601398f017a48112ac60f5f68270cfcd7b7dba4ce8898064
Formbook
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
Formbook
e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
+ 4'292 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-zh2v8asrm2/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.richardgraycabinetmaker.com/cmd/
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/ac03cb88-232d-445d-9bfb-4832b3f3c5d4/
SH256 hash:
5b2dce1d4c01388b0a2aeaed9fa45136b1bd034f3cbdadb4cbf3fc11e7ebc93f
MD5 hash:
ca53e6a2dfa70bd20063e0438093d755
SHA1 hash:
770647c55d8bda2fd972adf867ce84391efa8809
Link:
https://www.unpac.me/results/ac03cb88-232d-445d-9bfb-4832b3f3c5d4/
SH256 hash:
eb67b9a1d91528f03444c7e3b97dd396cc54f83b10ce7e118832a352a9ac0daf
MD5 hash:
c4b32d6cb53557c30f7f364d3126b7c6
SHA1 hash:
2f9a87f3d83136986f94e03da74cd01bf20ceb7f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/ac03cb88-232d-445d-9bfb-4832b3f3c5d4/
Parent samples :
73820e9bd81ce740a0a3ec45fe10749a64034aab5efbeb12adec9ebf46c0f2ba
62c093f0217805703a56345a17cab71f0da4baddf22a38075704d0d4d28b5c28
2a23aaae9ef3f48f786ed9f5bf8e9befd15aaad8be73c2a48bf46ae14ce811b1
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
SH256 hash:
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
MD5 hash:
957f36fdc73e2f696761e49bf541fc45
SHA1 hash:
ae495a1e8a73782bf230e13c236f29f8014ead89
Link:
https://www.unpac.me/results/ac03cb88-232d-445d-9bfb-4832b3f3c5d4/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar af174b636a9533b73ab2aa86c10959d2cdd6c775ee800d4698f1e47262fce7a7

Formbook

Executable exe 8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4

(this sample)

  
Dropped by
MD5 6c4ad8094e9a6028f026c19ca39dfe25
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74948/
  
Dropped by
SHA256 af174b636a9533b73ab2aa86c10959d2cdd6c775ee800d4698f1e47262fce7a7

Comments