MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
SHA3-384 hash: 6cc637c32812a0304b5606a84d448f260403c0f79ffca66370b8f11c35b4d1c6f933d30b8d3e5138831e217e4ac092d8
SHA1 hash: e5dee7f1851ecf03020add7eaf63d8c54d06c140
MD5 hash: 04b08d658c2253aeb53a88bd02ed88d5
humanhash: tennis-social-pip-wyoming
File name:XJipAOu77zODSnZ.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:896'000 bytes
First seen:2020-10-23 06:48:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:DLpFicZCOZ4viOBPNIl7GFrg8150I7QYZcXVi+ppuKCVV2iE:D7kG4viAk7GFv15C8cvpToV
Threatray 2'641 similar samples on MalwareBazaar
TLSH 8615CE017194CF01D2BD5BF0D42455F65BF92D6AE62AD29F8DA27CCE3972F006A92B03
Reporter abuse_ch
Tags:exe FormBook Outlook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: EUR05-AM6-obe.outbound.protection.outlook.com
Sending IP: 40.92.91.13
From: golden_effect@hotmail.com
Reply-To: geimeg@quipo.it
Subject: ^SPAM^ RE CONFIRM BANKING DETAILS
Attachment: PAYMENT_COPY.html.rar (contains "XJipAOu77zODSnZ.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74933/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.28013.11841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507793
Signature
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303019 Sample: XJipAOu77zODSnZ.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 39 www.bfboke.com 2->39 41 bfboke.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 7 other signatures 2->55 11 XJipAOu77zODSnZ.exe 4 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\tmp991.tmp, XML 11->33 dropped 35 C:\Users\user\...\XJipAOu77zODSnZ.exe.log, ASCII 11->35 dropped 37 C:\Users\user\AppData\Roaming\nWQTthf.exe, PE32 11->37 dropped 65 Tries to detect virtualization through RDTSC time measurements 11->65 15 XJipAOu77zODSnZ.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 teamxnd02.com 34.102.136.180, 49761, 80 GOOGLEUS United States 20->43 45 www.shannonballcoach.com 35.197.119.180, 49741, 80 GOOGLEUS United States 20->45 47 2 other IPs or domains 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 26 NETSTAT.EXE 20->26         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 26->59 61 Maps a DLL or memory area into another process 26->61 63 Tries to detect virtualization through RDTSC time measurements 26->63 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 02:53:26 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxs2pwfkwx4az5nyxf6cxxzcsixpp6x2osns5n7rmvnqgsmimgla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
24c02e45ff650338b45502d2ae12062e12e99fe39b3834c3d5160b82344a053b
Formbook
2e1f23f4c8536a0f803f8d9f54e5d5c67a99aa2b0c44031d4ed743acd6003887
Formbook
3afb9252d528d667bbdf62a3e7a235615ad0814911ca4690505822cbda24c380
Formbook
46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3
Formbook
7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
Formbook
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
Formbook
9254d3364f3dc1faec6f4f624e1c74f14ddfad19300eca7eb18a4a1a15cf4d98
Formbook
b7adf1bb5628fd6ec0905e0d3f32c20c39f401ce845f73e15ce867aca4a531fd
Formbook
d03792e976baeea6547686ff0fe4ced755f9bad76ee6e3ff3c5f4adf93cbb0f8
Formbook
fbe762c8c464730d016cd2ef76955fe726f74abd031cea612d6a08bce2383a3e
Formbook
+ 2'631 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-z8ccjcabzn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bfboke.com/cpi/
Unpacked files
SH256 hash:
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
MD5 hash:
04b08d658c2253aeb53a88bd02ed88d5
SHA1 hash:
e5dee7f1851ecf03020add7eaf63d8c54d06c140
Link:
https://www.unpac.me/results/72290d49-3b55-4850-9a73-1f664192bf0d/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/72290d49-3b55-4850-9a73-1f664192bf0d/
SH256 hash:
061a1faa25cc37c57a8c7e46fcf68078d97665fde7d513c8136136f9455056c6
MD5 hash:
b79e573fbe2f09229d47ea9c55a36651
SHA1 hash:
33fb3f38940da3fdc9c5d4b2436d654be7ddcb34
Link:
https://www.unpac.me/results/72290d49-3b55-4850-9a73-1f664192bf0d/
SH256 hash:
d4fb0a8b9c22ac62d496e373a84ecfd4ff995ac7f42fd5a182c99d28b1ee8b23
MD5 hash:
088043172ff6b0898cb70ad48aebc204
SHA1 hash:
3c56969b1f938dda6d326e1d58e9f42f7266eaa0
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/72290d49-3b55-4850-9a73-1f664192bf0d/
Parent samples :
680e6e46c8bed6c48e63f6dab3409bb9cd05f6642084ef8b0d03898dacc500a7
fd5aa67ff2ae6837aaf729665b08947c23a7b5cbb1f0c9fba82ebb95ddafcf24
0bfa5712201676e9439c4624fd99b8ec2bba95ccd53fb67f0a289b0a8347fc7c
f755a2e09db3f63b7e9c035a488652b00ccb0678eca144db82e84e9e34345deb
b9fa08af8ceadc9af473f443a5b8c8d0f3e40324df53c81a5da4f97ef946e160
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 06816098bc21f93735d8b12b3e38e1ec9752cf84a56390181f1c190541ada4ab

Formbook

Executable exe ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196

(this sample)

  
Dropped by
MD5 ca8470ff90ed287ca87fd54db19fd04a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74933/
  
Dropped by
SHA256 06816098bc21f93735d8b12b3e38e1ec9752cf84a56390181f1c190541ada4ab

Comments