MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682
SHA3-384 hash: 77554cabd4382b47f71062e0a46ff8471c05dcec82de3ef1d5c14f3b09c9f4a0a99152189d12513e0dcacc2c179b7b53
SHA1 hash: aa4c4cb1f611c462e7af0c15acef1b8f3af0c407
MD5 hash: c3a548481da400874d2efcd1f9e00770
humanhash: london-tennis-six-island
File name:PI209174.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:601'088 bytes
First seen:2020-10-22 07:40:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:lEZagQ/myQg6+JFJuA1eA9anDA0nwZwuIOZSJ/9A1GKZHNYPzod:SZagQ/mhSvuA1ei0nuwSZSJ1A1GUKzod
Threatray 2'618 similar samples on MalwareBazaar
TLSH 7CD4022171AAFB32D3BE9BF6205C451993F1159F57B2E7180DE377EA2940B058B80E63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.hyterm.xyz
Sending IP: 134.209.44.46
From: Zainul<office@teleaurd.xyz>
Reply-To: <friding7@gmail.com>
Subject: RE: RE: New Order
Attachment: Swift Copy.7z (contains "PI209174.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74548/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 02:44:33 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v65u2cf73zdqwnaf7ghyjjn6arlm6qhn7dyi662mw6tm7t2642ba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
754b53cd03dcc7c3d854a9628e5d01447fd778aae73f7890b5f7527ad4bd76ea
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
a0c73c5e7d039898c297b3e6d1c48bc7c32eae93a24b731a0c21717925dba028
Formbook
a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
Formbook
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
Formbook
c5eddcaa83e4167df259033ee45a3624c5a700877aac6bc54dd46d1a3a1aacbd
Formbook
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
Formbook
f1a12a36b7cdbc3e0429105b407ca042b88c6113e39083abc39316ad835e41fe
Formbook
+ 2'608 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201022-72vnm6226s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.ruartemoyano.com/xnc/
Unpacked files
SH256 hash:
afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682
MD5 hash:
c3a548481da400874d2efcd1f9e00770
SHA1 hash:
aa4c4cb1f611c462e7af0c15acef1b8f3af0c407
Link:
https://www.unpac.me/results/abd01e0f-5eb0-4d75-81d8-969cc391779d/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/abd01e0f-5eb0-4d75-81d8-969cc391779d/
SH256 hash:
962b36b641c8d494243cee1b75bd611630ec02f9c99d8c60c44278263444a97f
MD5 hash:
48a08a8769329cf161cbfc6910e8a1d0
SHA1 hash:
9e2c72cbf697b47f446f79399f910df21dcf7cef
Link:
https://www.unpac.me/results/abd01e0f-5eb0-4d75-81d8-969cc391779d/
SH256 hash:
c199d8a3ebeb73fa8fe38d9877c0bef18353ce4636c4e522d6b29235e1623b9f
MD5 hash:
2deab67c54eae83cd3a743873769b2a3
SHA1 hash:
df0f42b626c423e08f531353f6cc614ae62cc639
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/abd01e0f-5eb0-4d75-81d8-969cc391779d/
Parent samples :
e85ece3cee51156974c3fb8f0e2c707dae2b51b0d2db9e5fb10531d2fdd76ca6
a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
adfaf60f2ef07cd0b6f3fdd429fb94e76376ebf41b0b615d2664449e6adb358e
afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682
344ae78ecc8cac02bb3dcd94c654b74543db829984f903f57dfab395639bfc72
ec5a75f9492dd42e6da3aedf206c5ff750b1ab67b75a88410e967c8c87bd65b7
67b5dd0cd10a35b265d59bffca0b6f05040626fc986b11d2200c05028e91878a
5250b6aa047823e57f17d7f569816518b6acffce3ac870b2167b0cdc262b2bba
89e36f73f667df03dd636f766a9b127c9c0b307fc0ae3149b2d1ff6f34c84b09
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 858163fdbb9de75b6c5e4a028800c6038a14c71401a0fb479d17ea53dba626ba

Formbook

Executable exe afbb4d08bfde470b3405f98f84a5be0456cf40edf8f08f7b4cb7a6cfcf5ee682

(this sample)

  
Dropped by
MD5 70ae0306b0d434be58402ca099ba00fb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74548/
  
Dropped by
SHA256 858163fdbb9de75b6c5e4a028800c6038a14c71401a0fb479d17ea53dba626ba

Comments