MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
SHA3-384 hash: e5f94d80303811306616382fb887c64f6aef9be03ca878c78b116ecad9e26d06c9a16c4f3f75a2795e7708ff954ee377
SHA1 hash: 89688d68f59985715fd6177aeaed55858b775678
MD5 hash: 6cf028560f4ad51014ec31bf758042a8
humanhash: sad-quiet-pip-hotel
File name:Asia Offshore Services Pte Ltd.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:751'104 bytes
First seen:2020-10-22 06:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:qKzoMEeo9B7c3uXxNz5wugnYqKGzhZ2GsHNQYROZN/9H7fCiuBZ+MZDNg3t0Ozza:qmo9B7c3fjCdBZ+863yOvRbOj9SC
Threatray 2'627 similar samples on MalwareBazaar
TLSH 3AF48C9D722072EFC85BD4729AA82D68FB6074BB531F4203A42715ADDE4D897CF244F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server.blakecorporations.com
Sending IP: 199.250.204.180
From: Petter Nilsen <pn@aosoffshore.com>
Reply-To: contac@tech-center.com
Subject: Asia Offshore Services / Request For Quotation
Attachment: Asia Offshore Services.zip (contains "Asia Offshore Services Pte Ltd.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74489/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506711
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302535 Sample: Asia Offshore Services Pte ... Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 31 www.hunanmanhe.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Detected unpacking (changes PE section rights) 2->43 45 9 other signatures 2->45 11 Asia Offshore Services Pte Ltd.exe 3 2->11         started        signatures3 process4 file5 29 C:\...\Asia Offshore Services Pte Ltd.exe.log, ASCII 11->29 dropped 55 Injects a PE file into a foreign processes 11->55 15 Asia Offshore Services Pte Ltd.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 td-balancer-euw2-6-109.wixdns.net 35.246.6.109, 49770, 80 GOOGLEUS United States 18->33 35 bleeask.com 161.35.59.157, 49771, 80 DIGITALOCEAN-ASNUS United States 18->35 37 5 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 mstsc.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 01:59:10 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=soje7clth7kocu2odhmdg5akezt77gioxk3xlwerwzu3lrziaffa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
4bbda63f732b2341b67208a1f237db39488fed540f55ee994a641a0a133ec0ac
Formbook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
Formbook
75f121f9048171649f3ba28afcd30a1dcd668266717b0d98e8bac88afe411fe7
Formbook
767fc756f86db0b4de57b4ec14964f24af0e47eb23ba7fa1df6378bcf9986947
Formbook
bdad93534a202f7d3c2f102dc39093fa12a32f5de82c76a5fb41a94e1748d99e
Formbook
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Formbook
bfae046475f1458c460cf4eed534a48c8e769fbfc622138170c3945a4ad61a90
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
Formbook
e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34
Formbook
+ 2'617 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201022-99lcgeq5yj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.goldenlinkpowerdeals.com/esp5/
Unpacked files
SH256 hash:
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
MD5 hash:
6cf028560f4ad51014ec31bf758042a8
SHA1 hash:
89688d68f59985715fd6177aeaed55858b775678
Link:
https://www.unpac.me/results/52f4d208-9d42-44c4-a92d-bf9c547f6e9e/
SH256 hash:
6be8011a215da9eebe853d44b9c5f15f98d1b59cb800d20b33141966596db32c
MD5 hash:
aee17ab9e8fcd6caafab1f251874fe86
SHA1 hash:
c7bf4e9d4232af55f08b59ae7e9d51dd4a5c909a
Link:
https://www.unpac.me/results/52f4d208-9d42-44c4-a92d-bf9c547f6e9e/
SH256 hash:
64817a632f382fc4319b1ca9df5e3d6620c35f72dab15f6f36ae9bba314ae817
MD5 hash:
12d45198d0959904cff1e298524ebfd9
SHA1 hash:
d517dfcae439591d3630c1b95e83d8273999ddf1
Link:
https://www.unpac.me/results/52f4d208-9d42-44c4-a92d-bf9c547f6e9e/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/52f4d208-9d42-44c4-a92d-bf9c547f6e9e/
SH256 hash:
7ef2a597a5b46a2e2511fd29ec344fb6e46583800513811ab96970d2152bef23
MD5 hash:
14a2e7847436adc727b382c22e60f8c3
SHA1 hash:
7a6b823da8c0d6549a48f9a5c8cc3c234fef75cd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/52f4d208-9d42-44c4-a92d-bf9c547f6e9e/
Parent samples :
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
0dbc9167676da74b238155c1234be3891b57cb15441b8f985dfdf295bc858a41
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
c7a440c994771410363293be06d6af76be0ded9c4a706d4b2b16b333187942bb
f85b33feed6b4f002c008c9ab364290fea609966cde31700196eb924f2618c8a
1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip f0e29b3c4611c8be7ef10cd9aa6a373fb4e5c381879555ba3555150cbe1061b6

Formbook

Executable exe 93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a

(this sample)

  
Dropped by
MD5 0ba253964d411261439c1bb80efeaeb5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74489/
  
Dropped by
SHA256 f0e29b3c4611c8be7ef10cd9aa6a373fb4e5c381879555ba3555150cbe1061b6

Comments