MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 999813d0bce8eb3dd4057bb0535d1ce571c272a3ac60264d4a4ecc28f7644875. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 999813d0bce8eb3dd4057bb0535d1ce571c272a3ac60264d4a4ecc28f7644875
SHA3-384 hash: 29e40e7ac8fb9d8b998fa427b68533e80aaed79aef8d4cb1a07f5750895e92735aaba0dfeb4f8d9e1391b71d37d197b8
SHA1 hash: d0dde45c613b6402d85ccc1ff5d77c809a619494
MD5 hash: 7f7a4249559e5ee4540994f94def85db
humanhash: equal-victor-sierra-foxtrot
File name:RFQ_38463846393646388368364834.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'095'104 bytes
First seen:2021-03-16 10:35:53 UTC
Last seen:2021-03-16 12:49:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:z7myfeqqD0jjxnqkaaFZp27enk6ymYIr7GrCKnY27RENq6+7U8LcjHWdr:z7myfB3ebDgJEr
Threatray 11'188 similar samples on MalwareBazaar
TLSH 9DA55A04F758AE96D5171B76C0A3852482E4DE6B6273F30F79D9BCE2793238A4D4E4C2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.softwarecommercials.com
Sending IP: 154.16.145.158
From: Krista Aranda <amarnex.mail@msa.hinet.net>
Subject: Proforma Invoice
Attachment: RFQ_38463846393646388368364834.ISO (contains "RFQ_38463846393646388368364834.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_38463846393646388368364834.exe
Verdict:
Malicious activity
Analysis date:
2021-03-16 10:41:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee1d0cac-4c62-4a0a-9b31-4422d3b1a6ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis7F7A4249559E.927.30813.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90264ec4-bba6-4861-841d-bbc851e68b4b
Result
Threat name:
AgentTesla FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640597
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 369273 Sample: RFQ_38463846393646388368364... Startdate: 16/03/2021 Architecture: WINDOWS Score: 100 54 www.reflectionsinbloom.com 2->54 56 reflectionsinbloom.com 2->56 58 www.motherhoddefined.com 2->58 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 13 other signatures 2->74 12 RFQ_38463846393646388368364834.exe 15 7 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\Roaming\...\program.exe, PE32 12->46 dropped 48 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 12->48 dropped 50 C:\Users\user\...\program.exe:Zone.Identifier, ASCII 12->50 dropped 52 C:\...\RFQ_38463846393646388368364834.exe.log, ASCII 12->52 dropped 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->98 16 program.exe 14 6 12->16         started        20 cmd.exe 1 12->20         started        signatures6 process7 file8 42 C:\Users\user\AppData\Roaming\...\anyo.exe, PE32 16->42 dropped 62 Writes to foreign memory regions 16->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->64 66 Injects a PE file into a foreign processes 16->66 22 AddInProcess32.exe 16->22         started        25 anyo.exe 2 16->25         started        29 conhost.exe 20->29         started        31 reg.exe 1 1 20->31         started        signatures9 process10 dnsIp11 82 Modifies the context of a thread in another process (thread injection) 22->82 84 Maps a DLL or memory area into another process 22->84 86 Sample uses process hollowing technique 22->86 94 2 other signatures 22->94 33 explorer.exe 22->33 injected 60 mail.spamora.net 185.26.106.194, 49738, 587 ATE-ASFR France 25->60 44 C:\Windows\System32\drivers\etc\hosts, ASCII 25->44 dropped 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->88 90 Tries to steal Mail credentials (via file access) 25->90 92 Tries to harvest and steal ftp login credentials 25->92 96 3 other signatures 25->96 file12 signatures13 process14 process15 35 NETSTAT.EXE 33->35         started        signatures16 76 Modifies the context of a thread in another process (thread injection) 35->76 78 Maps a DLL or memory area into another process 35->78 80 Tries to detect virtualization through RDTSC time measurements 35->80 38 cmd.exe 35->38         started        process17 process18 40 conhost.exe 38->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/999813d0bce8eb3dd4057bb0535d1ce571c272a3ac60264d4a4ecc28f7644875/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 06:36:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgmbhuf45dvt3vafpoyfgxi44vy4e4vdvrqcmtkkj3gcr53ejb2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
formbook
Create hunting rule
Similar samples:
0b755a23b31f709cdcd39b195d0bd4d50b049bd869b1db57892fb94878992760
Formbook
1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290
Formbook
1c4a38783b7106da94c3bfdf1e3719a6e0761b2007441f035ca9ff38021dc2b5
Formbook
3bbed2bec4921aca55a13e5ccf12147bb43f164a915e9b1b0a0bfb9a54954409
Formbook
48e2e258e44d96537874773301324e9ac9d69086808fac632a599746cdb3bd91
Formbook
74561e938b5a4d9966fa56ba62082b6bcc9deecbe62984d1ebfc7db34eaf9f17
Formbook
90389790309ed963a0908cec1a9a6866ae0c6e41c8103454f3a311bc93a21125
Formbook
d9f4c10febc99ea723d7f3f13d92be6bd54fc18eab233e5b28c5bcff0f3c1e1e
Formbook
e3fc20c3720e3822c54c48f53cffb77b3a21769eb9c03c63fe7fb032d7181bfa
Formbook
ef233cee4b1ff1192e4213b68857105e0a091c9a84c9a8146821eb48cfebf666
Formbook
+ 11'178 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:xloader keylogger loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210316-bpp3fdwlrn/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
AgentTesla Payload
Xloader Payload
AgentTesla
Xloader
Malware Config
C2 Extraction:
http://www.gyminofhomeaffairs.com/csv8/
Unpacked files
SH256 hash:
999813d0bce8eb3dd4057bb0535d1ce571c272a3ac60264d4a4ecc28f7644875
MD5 hash:
7f7a4249559e5ee4540994f94def85db
SHA1 hash:
d0dde45c613b6402d85ccc1ff5d77c809a619494
Link:
https://www.unpac.me/results/f4237267-4cfe-4179-8294-b36b7233926f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/999813d0bce8eb3dd4057bb0535d1ce571c272a3ac60264d4a4ecc28f7644875

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 8700c8d26ecfb96b53a7f6da73e95f3477738309028be2b31c04ea49751444b5

Formbook

Executable exe 999813d0bce8eb3dd4057bb0535d1ce571c272a3ac60264d4a4ecc28f7644875

(this sample)

  
Dropped by
MD5 0e0f6f0e071d56bd3dac80d8ef637e8e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8700c8d26ecfb96b53a7f6da73e95f3477738309028be2b31c04ea49751444b5

Comments