MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4
SHA3-384 hash: 1606a923f72f89ae1c9226284aedeb30787894b0e27cbb7dd16bb2fbb2004a35277d7dae53272d3b234eec1176e5cea1
SHA1 hash: 15eab2a2e3160de12ce4cba39944b87cb067059d
MD5 hash: 8e506a189136c606c47b883ea3c79695
humanhash: whiskey-winner-spaghetti-princess
File name:COMMERCIAL INVOICE, BILL OF LADING, DOC.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:532'480 bytes
First seen:2020-11-04 14:25:03 UTC
Last seen:2020-11-04 15:09:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:rMSV2ae1Qrd0XZGUF7tC2x3a6u7wZgPgMn:9V2krd00Aj07OQRn
Threatray 2'791 similar samples on MalwareBazaar
TLSH 88B4234D7248D239C67C1AF5DDA211882B7692425D72A7E9DD4CF2FF2918FE608023F2
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82928/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.453.2861.20333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Connection attempt
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520257
Signature
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309228 Sample: COMMERCIAL INVOICE, BILL OF... Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 32 www.thecrunchydumpling.com 2->32 34 www.eniolaasagrownup.com 2->34 36 3 other IPs or domains 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 11 COMMERCIAL INVOICE, BILL OF LADING, DOC.exe 1 2->11         started        signatures3 process4 file5 30 COMMERCIAL INVOICE...LADING, DOC.exe.log, ASCII 11->30 dropped 62 Writes to foreign memory regions 11->62 64 Maps a DLL or memory area into another process 11->64 15 RegAsm.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 2 other signatures 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 38 macsindiaexports.com 103.120.177.182, 49737, 80 NETMAGIC-APNetmagicDatacenterMumbaiIN India 18->38 40 mysafeazores.com 13.94.143.131, 49746, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->40 42 11 other IPs or domains 18->42 54 System process connects to network (likely due to code injection or exploit) 18->54 22 NETSTAT.EXE 12 18->22         started        signatures11 process12 dnsIp13 44 www.phcp9.com 22->44 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 13:51:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=upm7uvgxpzgmegztdbrl6hcnjlfg63qcno5mectl2uqele5hvd2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
048a4bdb5c21a62e9028370b06b2804aaeb3b85b2446f5c47ff3fb3e7f676be8
Formbook
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
1b10d999126d02956f9d2fec22e0d83b560a5fa8fd873628a6df5650fefe48fd
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
76b5083ce1a34c82e63cded85ecdf767f9d254e99a0d49174fbdd4a449857e41
Formbook
a0c73c5e7d039898c297b3e6d1c48bc7c32eae93a24b731a0c21717925dba028
Formbook
c5eddcaa83e4167df259033ee45a3624c5a700877aac6bc54dd46d1a3a1aacbd
Formbook
da455c9459a51e64557b7f36c33a3ef60fdc43b647d1f2f480c3de5d31b2aa2f
Formbook
f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172
Formbook
f2cb02b3c504a4db0b43f79aef0d63398d9b984ee84d07acd690a448b63b5636
Formbook
+ 2'781 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201104-bmdbgzxmz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Blacklisted process makes network request
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thecrunchydumpling.com/o9b2/
Unpacked files
SH256 hash:
a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4
MD5 hash:
8e506a189136c606c47b883ea3c79695
SHA1 hash:
15eab2a2e3160de12ce4cba39944b87cb067059d
Link:
https://www.unpac.me/results/e2ea0d41-e727-4076-a01a-570a746955a8/
SH256 hash:
00ad2e81c746646a1e259b4ac7ba712c28cf9cf33dfc675d339873a7ff0cf745
MD5 hash:
260a63740c988a61b9c4f65001a5b885
SHA1 hash:
b081f2a047899a25f5fff73ab0038fda49f01fb0
Link:
https://www.unpac.me/results/e2ea0d41-e727-4076-a01a-570a746955a8/
SH256 hash:
781a7d71b6bda28bdc0b4ec9cd8cd1097cb6f0fcd2c03f07dcecc77661dbc9ea
MD5 hash:
78dc78b5a296d4a21e7bc27194227f01
SHA1 hash:
ab21620f05fb6e144765f7f8d50653fa584597d1
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e2ea0d41-e727-4076-a01a-570a746955a8/
Parent samples :
a3d9fa54d77e4cc21b331862bf1c4d4aca6f6e026bbac20a6bd5204593a7a8f4
45122febb861f3b96da0f14222950ac3de67acc346a17ebe9d9e432744682fe9
acd9b03d66d463c3b7a101e07d15d4007c0a06c5848ea08f75e677a2a5300c1a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/82928/

Comments