MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9
SHA3-384 hash: 38b1c03ac7eab34facbc31d420552bbcc3bb528ebe0b92585a3270f842fc3365799f7fde338a142fefc13e8737299dcf
SHA1 hash: 27072a8a03f08b10935b83e73bdaa4bc7676df2f
MD5 hash: 9c2191b9a8eabed6913f5e0cb9d0d5c1
humanhash: network-thirteen-pizza-twelve
File name:RFQ J893- PR#28201909R1 - Supply of Alloy Pipes.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:597'504 bytes
First seen:2020-11-06 17:36:51 UTC
Last seen:2020-11-06 19:39:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:W8StYJIMgNrv2XgzJymAAX+cXkLTIrsGcfgprTPbxVHJIdi:xGw6NrvH/Ac+q4TIvWgZ7bPHWdi
Threatray 2'860 similar samples on MalwareBazaar
TLSH 60D4CF3CA2083FD1D13EA3B890E9150057F2A15AC331FACA3DE651CF19F6EA56677A11
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.26592.19755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/523548
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 310874 Sample: RFQ J893- PR#28201909R1 - S... Startdate: 06/11/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 RFQ J893- PR#28201909R1 - Supply of Alloy Pipes.exe 3 2->10         started        process3 file4 28 RFQ J893- PR#28201...Alloy Pipes.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 RFQ J893- PR#28201909R1 - Supply of Alloy Pipes.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 cgudalupevictoria.com 162.241.61.219, 49764, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 lotteryscratchers.info 34.102.136.180, 49760, 80 GOOGLEUS United States 17->32 34 5 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 ipconfig.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 01:47:36 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6rp7svpjevf3htiwn3fqcdrztu5jfotfe2nsd7h4qy3bhpcy3mq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
143848b6d47c7c571df87a7dee1892aa571b94fca0d9d60c6b7a2141f644950a
Formbook
1d6b4c596e189a78ffd872bffe908aaf27f74f6c36dddfd50b517f9155c0938b
Formbook
4e712f5df51bc5970b962b170cfde7a6cd20622ac67164a6f2101655a8a7d7f3
Formbook
718d659864d771ebadf82d8b5461d39c2bd6bd514ea2d2273d2821a23ab28ed0
Formbook
73c2d8d44daa16a7b406b82cd5201483ae40404037e7a543ad91689cbced81ad
Formbook
bbb95e154a42908b2bbb1797d8b6178343b7c084158183f628b5c4bf3fe5ac7d
Formbook
d86a036697fc43fa7041bd5e298ff785adcf44c78057f3c1c9db8fa9f694ce64
Formbook
e232dc56a916d659961271caf129b47c5fa561f71ecff17f6c96801cd7b50820
Formbook
e8383b3c3d533f13eb4b642b48d587cddaf187f0d1719e829f5e4cf5eea24969
Formbook
f264e8bfb72842255656d3aebf39da5daa78192daf8a87950eee3d9034839b4e
Formbook
+ 2'850 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201106-ccg35phecj/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.squirewatchbands.com/vrf/
Unpacked files
SH256 hash:
9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9
MD5 hash:
9c2191b9a8eabed6913f5e0cb9d0d5c1
SHA1 hash:
27072a8a03f08b10935b83e73bdaa4bc7676df2f
Link:
https://www.unpac.me/results/d35370df-2ab9-40d5-a201-29c2fcc4c765/
SH256 hash:
a06e0df89bf08dfad4b4aecc7def0a5d063d5dee4ede518d335383412edb75d1
MD5 hash:
108bf86298916145660a3b2192e66563
SHA1 hash:
03c3ee7576d5f370937dd8fdf4fdc5ad27b6b1cd
Link:
https://www.unpac.me/results/d35370df-2ab9-40d5-a201-29c2fcc4c765/
SH256 hash:
42bcd16d0e564b1c2f02299023b8021f51c5669224d808df4b921f5fc4ec8a96
MD5 hash:
d33fc25ac7fe6a894e22701cf92e7cae
SHA1 hash:
e314eff21049c36ad9ac47197b5880e2fe166710
Link:
https://www.unpac.me/results/d35370df-2ab9-40d5-a201-29c2fcc4c765/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/d35370df-2ab9-40d5-a201-29c2fcc4c765/
SH256 hash:
f6fb15bacbfb72b6e1a7a6d9eb0b3333d0c9a20a8cd272af280d1bcea1c4f529
MD5 hash:
79b8b3446537e91691e49fc7d93678b4
SHA1 hash:
b4bb0a110f067fc78b17c70eb20519c6150855db
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/d35370df-2ab9-40d5-a201-29c2fcc4c765/
Parent samples :
e8383b3c3d533f13eb4b642b48d587cddaf187f0d1719e829f5e4cf5eea24969
d86a036697fc43fa7041bd5e298ff785adcf44c78057f3c1c9db8fa9f694ce64
e232dc56a916d659961271caf129b47c5fa561f71ecff17f6c96801cd7b50820
9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9
983dcf9b03811d5d870aaafa2aefc1c6c17ceb5a21b7d9c5f6a9f1236bcbed4b
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 9fa2ffcaaf492a5d9e68b376580871cce9d495d32934d90fe7e431b09de2c6d9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments