MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0
SHA3-384 hash: 1a105837f9236de75a3613073c849aeeb397baa70b135cb1a08d06ac6b93674b8930ea6e372103adea20ed207c3b9785
SHA1 hash: 120db235d27b25f14d63a5100300cd09ec87e0c0
MD5 hash: 60ece7983b52efb4afcda75e1c7577b3
humanhash: jig-social-six-enemy
File name:Swift001622.Scan.pdf..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:600'064 bytes
First seen:2020-10-16 10:21:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tE65s5X0V7qdNsoJCTinpIpmxepLUBaiwpWTvyWXNaYdQD1BIzgN:tczsoIenigI6Fwp8dXcYyD1
TLSH F1D4F1197384A78FC17F8E7788621D2097F1E8B64713D3476DC720AC59CEE8A8F552A2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: ajshalom.toservers.com
Sending IP: 190.61.250.150
From: Diego ortega <info@genersia.com.ar>
Subject: Re: Re: MM-953
Attachment: Swift001622.Scan.pdf.rar (contains "Swift001622.Scan.pdf..exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71888/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493368
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299136 Sample: Swift001622.Scan.pdf..exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 33 www.iangroupfunnels.com 2->33 35 iangroupfunnels.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 8 other signatures 2->49 11 Swift001622.Scan.pdf..exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\...\Swift001622.Scan.pdf..exe.log, ASCII 11->31 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Detected unpacking (overwrites its own PE header) 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 Swift001622.Scan.pdf..exe 11->15         started        18 Swift001622.Scan.pdf..exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 37 www.njcourierpost.com 192.187.111.219, 49766, 80 NOCIXUS United States 20->37 39 paras.ltd 34.102.136.180, 49767, 49768, 49769 GOOGLEUS United States 20->39 41 3 other IPs or domains 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 24 ipconfig.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 17:50:19 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjyubku6ibh4vnpelosvfxujm2o2irdmni2hj4yh33y2owr5g7qa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201016-bsemtbn74x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.darkatnightgame.com/fgn/
Unpacked files
SH256 hash:
51083221aca6448566fdae01fb1cef1e7c78d88c868aa7f807e72384d7368d4e
MD5 hash:
3da46a203470a108ebdc7a5270d2ca7d
SHA1 hash:
2c8ed7b865b336b25376d56c2938272d7a027efa
Link:
https://www.unpac.me/results/33db4e8b-73d0-4b11-930a-414c36df4914/
SH256 hash:
2a58be6599035ccf8a6ac79f9845f83063a9c98ccb46d3b30365f8d2dceb8919
MD5 hash:
1df1d58eade5c7d77369e7c07cd2b967
SHA1 hash:
c91f4669600fc2a211b6d7284bcb5a5ae4ddcd79
Link:
https://www.unpac.me/results/33db4e8b-73d0-4b11-930a-414c36df4914/
SH256 hash:
9e78be7f7133a4db7a2891a18ce9b7779619079a8c5d8a01ee6086ac315420fc
MD5 hash:
c6ee19ba7ff7f093c9662d88d2ea7f04
SHA1 hash:
f4d5d77b89ba0a3955f8acb02dc3ce2504810ae5
Link:
https://www.unpac.me/results/33db4e8b-73d0-4b11-930a-414c36df4914/
SH256 hash:
ea40b4c489ae8a15845588abdfc86ac773e0fd414f8776a47c247a075d14ee04
MD5 hash:
ede37755372a928134c272aaff0d5773
SHA1 hash:
bb20b39a34e4a4d63d31c39cc158f0c9b1fdf5eb
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/33db4e8b-73d0-4b11-930a-414c36df4914/
Parent samples :
f9b5791e5556abf20bf540734de904ea4a0508005071f43531a1347f7fdcce08
fc0d990ef758b78feb650b93c761b3f0fe5daa30d1fbcc77a424eac49ca8cc4d
c61d5fa6c2a4f421767a7c793da96a0e8e88d482e078ef994f0a50bac73464f0
ab8c3b31b7abfcd76554ac8640d5781860ba99d878fb128ed313c64eeef6e39d
4ffeba70e305d0d745d9a60fb8a78cc3f161c3fe4a7373c2303be8f095426abd
cc0807a29f920ca94099399975ae3d52b741d6f1387ea3fb26c44b1bc22cd95c
aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0
SH256 hash:
aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0
MD5 hash:
60ece7983b52efb4afcda75e1c7577b3
SHA1 hash:
120db235d27b25f14d63a5100300cd09ec87e0c0
Link:
https://www.unpac.me/results/33db4e8b-73d0-4b11-930a-414c36df4914/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar a1d1b4d2da6aaaad93a3480579b5bdfb53d877fd891478e3b2ff3eae760246da

Formbook

Executable exe aa7140aa9e404fcab5e45ba552de89669da4446c6a3474f307def1a75a3d37e0

(this sample)

  
Dropped by
MD5 7997d482aadf8404ce2acc792b3fc33a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71888/
  
Dropped by
SHA256 a1d1b4d2da6aaaad93a3480579b5bdfb53d877fd891478e3b2ff3eae760246da

Comments