MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c
SHA3-384 hash: eca62ec3205ba8594a45d5238dfd48ff71c2d3a31faba0aff732c788311e57652252dc0182edcc37a4b6bebd83ea9b36
SHA1 hash: c3083fc31d975e98fe3530e31b3df9872d101b92
MD5 hash: 300282451ca9742c52a667f932cebc11
humanhash: virginia-papa-sink-delta
File name:DOC_2020101209438759554.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:594'944 bytes
First seen:2020-10-12 14:46:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:dMz2I70YH42lS4jLgY4GGR/YS1xLY5cROxAI3unuwLEI:dRS7M4nV4GGIcRkT
Threatray 2'415 similar samples on MalwareBazaar
TLSH 21C4F13237A9AB26E87DD3BD0434504427F1F0A2E725D72A7DA580DD0AB6F95C7A2703
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail.inconcertcc.com
Sending IP: 200.40.135.115
From: Jorge Juscamaita <jjuscamaita@inconcertcc.com>
Subject: AW: 21501120100258 - PURCHASE ORDER FOR INVOICE SUBMISSION
Attachment: DOC_2020101209438759554.PDF.IMG (contains "DOC_2020101209438759554.PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70124/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.10854.17619.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488573
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 296741 Sample: DOC_2020101209438759554.PDF.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 37 www.lodi-smart.city 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 8 other signatures 2->51 11 DOC_2020101209438759554.PDF.exe 3 2->11         started        signatures3 process4 file5 35 C:\...\DOC_2020101209438759554.PDF.exe.log, ASCII 11->35 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 DOC_2020101209438759554.PDF.exe 11->15         started        18 DOC_2020101209438759554.PDF.exe 11->18         started        20 DOC_2020101209438759554.PDF.exe 11->20         started        22 DOC_2020101209438759554.PDF.exe 11->22         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 24 explorer.exe 15->24 injected process9 dnsIp10 39 annshermanmk.com 34.102.136.180, 49753, 80 GOOGLEUS United States 24->39 41 www.vicious.world 172.67.163.29, 49754, 80 CLOUDFLARENETUS United States 24->41 43 2 other IPs or domains 24->43 53 System process connects to network (likely due to code injection or exploit) 24->53 28 rundll32.exe 24->28         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 28->59 61 Maps a DLL or memory area into another process 28->61 63 Tries to detect virtualization through RDTSC time measurements 28->63 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 06:57:04 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqqtoj6ixmtsclfcbgzx7fmd622ljm5jzs3yykt5j4afpjdjyzoa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
262d8dd389aad1ef11023ded97da5703e88f1a96c2b0b8a1dbdde5fa7ee04022
Formbook
37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
Formbook
691e25f141a0389dec22a7f9027a57ff7242cd2918f525e3c22e81c863f803c9
Formbook
816581131b3f726da0cfef239111730e74f04e9015df6a519b92a7e0d6e2cd6a
Formbook
9b9931b133a5a15ee73de2ffd8b6f2f7b80e834cf4a3cf17f030c479b21abf9b
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
ad8c070c48103dbc11875a052aa0447395f6ddda11e3f9e8aed091f0bb14050d
Formbook
b0ae66cd2296539cdeb9f833ff7ebc3616cda6d8068d1883e27a04c9240d0d3f
Formbook
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
Formbook
e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
Formbook
+ 2'405 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-yr5wfgtq6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c
MD5 hash:
300282451ca9742c52a667f932cebc11
SHA1 hash:
c3083fc31d975e98fe3530e31b3df9872d101b92
Link:
https://www.unpac.me/results/023c3fcd-05e3-4d65-bbb2-4764efd96ea1/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/023c3fcd-05e3-4d65-bbb2-4764efd96ea1/
SH256 hash:
9ef6da5c1e205f816d77d022b57c2ae9bbc635d147ba2b4fcd1e5b6da95c7026
MD5 hash:
7d3edf7cc4c506f8b70222e8994b6362
SHA1 hash:
65533a46052fefcee26d561ad66575e272bdf560
Link:
https://www.unpac.me/results/023c3fcd-05e3-4d65-bbb2-4764efd96ea1/
SH256 hash:
f002c486870c4d7f047ff09f6c77a2dda9ec3093a7e39e7f048c4ec4db937f29
MD5 hash:
5ffc742572c4edd777b752ac07fc23e7
SHA1 hash:
d1eef57074d67a750ecdeead1d0e15a257c169dd
Link:
https://www.unpac.me/results/023c3fcd-05e3-4d65-bbb2-4764efd96ea1/
SH256 hash:
2d40ab6f1919b17686260de751b43fc3b24934b26408d267d0e4dd996570fb9e
MD5 hash:
b1b298be02d8a9ac1a3b3008a41f6619
SHA1 hash:
a9bc9b0012dee7c0e0268a6bb8c5bb1fbb9d74ea
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/023c3fcd-05e3-4d65-bbb2-4764efd96ea1/
Parent samples :
37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c
bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img a8a3bea644fb9739a6f567ee1842048f186d83018cbaaf70ac2fb65173187e11

Formbook

Executable exe b4213727c8bb27212ca209b37f9583f6b4b4b3a9ccb78c2a7d4f0057a469c65c

(this sample)

  
Dropped by
MD5 40c35b54da97b41f74006a0332e13e42
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70124/
  
Dropped by
SHA256 a8a3bea644fb9739a6f567ee1842048f186d83018cbaaf70ac2fb65173187e11

Comments