MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b
SHA3-384 hash: 23d28c250266d0c44dd8058e55d6723799813de7d73790bb9d16cbd9a5c29d59b9ad166c750779355a9363c4cc2ecf37
SHA1 hash: c231ff3cd2930bba52135267bc351ab0d694a345
MD5 hash: 61de5b0f44beb0866a05b94defa7dbb0
humanhash: edward-spring-sodium-undress
File name:PO_1012000.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:593'408 bytes
First seen:2020-10-12 09:46:41 UTC
Last seen:2020-10-12 09:52:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:g+fC2INzRobH54kGV4clg+s5R/EViQcOxKRhafIpS:g+lInbV4cM49cOxK4IA
Threatray 2'410 similar samples on MalwareBazaar
TLSH DCC4F13027D89B66E57DF7BE0020146027F1E04AD335DB6E7D94819D85AEFD18BA2B43
Reporter abuse_ch
Tags:exe FormBook Hostwinds


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-779728.hostwindsdns.com
Sending IP: 104.168.218.39
From: "hr-jcheung.pw" <hr@jcheung.pw>
Subject: URGENT PO_1012000007 NEW
Attachment: PO_1012000.rar (contains "PO_1012000.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70050/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488270
Signature
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Detected FormBook malware
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296576 Sample: PO_1012000.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 41 www.mnrka.tech 2->41 43 mnrka.tech 2->43 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 7 other signatures 2->55 11 PO_1012000.exe 3 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\PO_1012000.exe.log, ASCII 11->39 dropped 69 Detected unpacking (changes PE section rights) 11->69 71 Tries to detect virtualization through RDTSC time measurements 11->71 73 Injects a PE file into a foreign processes 11->73 15 PO_1012000.exe 11->15         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 Queues an APC in another process (thread injection) 15->81 18 explorer.exe 15->18 injected process9 dnsIp10 45 www.prosjakslobode.com 172.67.183.157, 49714, 49715, 80 CLOUDFLARENETUS United States 18->45 47 www.oppofanclub.com 172.106.49.93, 49713, 80 AS40676US United States 18->47 57 System process connects to network (likely due to code injection or exploit) 18->57 22 mstsc.exe 1 18 18->22         started        signatures11 process12 file13 35 C:\Users\user\AppData\...\6L-logrv.ini, data 22->35 dropped 37 C:\Users\user\AppData\...\6L-logri.ini, data 22->37 dropped 59 Detected FormBook malware 22->59 61 Creates an undocumented autostart registry key 22->61 63 Tries to steal Mail credentials (via file access) 22->63 65 4 other signatures 22->65 26 cmd.exe 2 22->26         started        29 cmd.exe 1 22->29         started        signatures14 process15 signatures16 67 Tries to harvest and steal browser information (history, passwords, etc) 26->67 31 conhost.exe 26->31         started        33 conhost.exe 29->33         started        process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 09:48:12 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm6uvjotcdvhflait5mlsi6s7hevuy4gjt2vauvtsm5gyewebvfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
17de42648d49e21ed411c460fa0c805443e1898e21114beb8ea7301da3ee6b31
Formbook
23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5
Formbook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
33500d82b580ebcc34521dd70217ba0cf976d4708f6d9d413388aae64317b43d
Formbook
4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9
Formbook
54c0138d6a0dbd5967d7cf51eb753b29aa1fd72a85152285bd22347fa6654022
Formbook
6fb6937cf1cdf0d1c89ba807e43754a2d06754cd820992dc0b91cb61540cf547
Formbook
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
Formbook
c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40
Formbook
cddef48cbafa5561f43fd788cfc08215af2c8c4d700bbad363c467e60ad0eda1
Formbook
+ 2'400 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/201012-f4j7rj2546/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mydesc.xyz/myc/
Unpacked files
SH256 hash:
b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b
MD5 hash:
61de5b0f44beb0866a05b94defa7dbb0
SHA1 hash:
c231ff3cd2930bba52135267bc351ab0d694a345
Link:
https://www.unpac.me/results/2220fe7c-4158-49fa-952d-2da8b0dcdd7f/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/2220fe7c-4158-49fa-952d-2da8b0dcdd7f/
SH256 hash:
651a7a0bec5ef0c7324dd0e7ca89536cbfdd7bc0fd802ccceeb8b545e8db6046
MD5 hash:
0bf4ba7c991e405a084b8c0aa900a267
SHA1 hash:
910f95b56e75d8b6926d55a8b522395117cfa065
Link:
https://www.unpac.me/results/2220fe7c-4158-49fa-952d-2da8b0dcdd7f/
SH256 hash:
bb9ceb43137bce05b828d55a749d15c4f2285b68e24507e4ef13bb9b7678a466
MD5 hash:
e02623d440e7ad1f0ff3493b5912bbc3
SHA1 hash:
a026c80c1472bb22a24ac703f98a463659df2c9e
Link:
https://www.unpac.me/results/2220fe7c-4158-49fa-952d-2da8b0dcdd7f/
SH256 hash:
4d432305a7ca2890f44a55fb4786cf008b172bfe4758ca9d5a805baad93c0715
MD5 hash:
1628052442421eb18821c3414e970341
SHA1 hash:
8eefea8401608fabcfdba457a807e8799858de3b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/2220fe7c-4158-49fa-952d-2da8b0dcdd7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 0607aaa0d8df20ed7a0ff4095f4dafa5338302b95bc71042d690e67d95749a91

Formbook

Executable exe b33d4aa5d310ea72ac089f58b923d2f9c95a63864cf55052b3933a6c12c40d4b

(this sample)

  
Dropped by
MD5 17cc1731cf36b3bc37a29eac0fadbb93
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70050/
  
Dropped by
SHA256 0607aaa0d8df20ed7a0ff4095f4dafa5338302b95bc71042d690e67d95749a91

Comments