MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
SHA3-384 hash: b46e03797e41520c500285d6e99dca1afecca3c490c21dea9ed3c3e4b88a350db21fc31e41d88710a5e49cbda3a4ecbc
SHA1 hash: 1950bff0632ad10bd951e0fd5d307b58874cfe9a
MD5 hash: 1f154fdeb1f182e8e2d4bc203b5ff1f2
humanhash: carbon-winner-xray-high
File name:Shiment PL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:854'528 bytes
First seen:2020-10-19 07:21:50 UTC
Last seen:2020-10-19 08:24:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:4t6HU8+sP4RbSvdVU0ClncgtmQJrx0T5ssFrHIcEooF3ArxMf4XxQ:c83PmSvdV9Cc2m1NlboBAfXxQ
Threatray 2'523 similar samples on MalwareBazaar
TLSH 8B058B352688AF54E17D8733A4A4244093FBEC12D339D91E7CEA354E1E71BC5D223B9A
Reporter abuse_ch
Tags:exe FormBook t-online


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mailout11.t-online.de
Sending IP: 194.25.134.85
From: Amir Khatif <volker.hunsicker@t-online.de>
Subject: RE:RE: PURCHASE ORDER:DKSB ADM (P) 100-2020 (SMARTFAC
Attachment: Shiment PL.img (contains "Shiment PL.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72773/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.28010.533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494981
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299950 Sample: Shiment PL.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 34 www.antiquefactory.net 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 11 Shiment PL.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\Shiment PL.exe.log, ASCII 11->32 dropped 14 Shiment PL.exe 11->14         started        17 Shiment PL.exe 11->17         started        19 Shiment PL.exe 11->19         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 21 explorer.exe 14->21 injected process8 dnsIp9 36 trungnguyen.company 81.2.194.128, 49746, 80 INTERNET-CZKtis238403KtisCZ Czech Republic 21->36 38 aeguana.systems 34.102.136.180, 49747, 80 GOOGLEUS United States 21->38 40 3 other IPs or domains 21->40 50 System process connects to network (likely due to code injection or exploit) 21->50 25 NETSTAT.EXE 21->25         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 04:17:48 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vkk7gdnfjdnosmcm5jz6e5xyp7nlkmaynlwbilvygarpd4y7ls3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
Formbook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
Formbook
4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10
Formbook
4ffeba70e305d0d745d9a60fb8a78cc3f161c3fe4a7373c2303be8f095426abd
Formbook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
Formbook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
Formbook
ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65
Formbook
d2b880fc3d1f874e31d23a37b38f75ceb1162c21ce895aec8dbec7f9c952f8f2
Formbook
+ 2'513 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook evasion
Link:
https://tria.ge/reports/201019-9567t7nn7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Unpacked files
SH256 hash:
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
MD5 hash:
1f154fdeb1f182e8e2d4bc203b5ff1f2
SHA1 hash:
1950bff0632ad10bd951e0fd5d307b58874cfe9a
Link:
https://www.unpac.me/results/e56a3a05-24e4-423d-b729-fdb41f17c563/
SH256 hash:
556281f94f5a988aa337090d8ca45e773d4469550c89eaa03e9b363a29db35ef
MD5 hash:
2f23fdbdfcd6395669e0a2cad23d6783
SHA1 hash:
c1a06190b2e4c4a016f6d912b7439685a2ca4b69
Link:
https://www.unpac.me/results/e56a3a05-24e4-423d-b729-fdb41f17c563/
SH256 hash:
c2f2f0e86917d6d55f2174fcefb768e62a84b611bd067b4ee2bea38464c69f1b
MD5 hash:
a685d24f1be1321fba42f3ecf579f66e
SHA1 hash:
c27de7e9c09f32b95d1e63bb885caf38eeb6486b
Link:
https://www.unpac.me/results/e56a3a05-24e4-423d-b729-fdb41f17c563/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/e56a3a05-24e4-423d-b729-fdb41f17c563/
SH256 hash:
3e4322d92993da943414f86544570a6366f567c8dab90155d17950191c9a657a
MD5 hash:
ec88f7a13ad0e7c54b7716e278a205b9
SHA1 hash:
a2f9c27d7fd847ab4b823c7807c9ddf0248606b9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/e56a3a05-24e4-423d-b729-fdb41f17c563/
Parent samples :
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
a812b53ce06f7785297f38cec33ce1d277ea2784e9f9dde6fb80781d09a4ad32
2abd32fd6ec97ad3fa0d675153247b7449025f7087a7dfdee569143f195d2cf5
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa95f30da548/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 590f131908569ecdb275e7d49ff775362bedb7f849e67ad9861247fa89795af6

Formbook

Executable exe aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6

(this sample)

  
Dropped by
MD5 22dfd4095cd2f3080062f8de8b8a0c4a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72773/
  
Dropped by
SHA256 590f131908569ecdb275e7d49ff775362bedb7f849e67ad9861247fa89795af6

Comments