MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9fa08af8ceadc9af473f443a5b8c8d0f3e40324df53c81a5da4f97ef946e160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	b9fa08af8ceadc9af473f443a5b8c8d0f3e40324df53c81a5da4f97ef946e160
SHA3-384 hash:	9d06aedc9746413668ff99535ac7fbb491a72a8cc0af5710998c1ee7ff5bf617e6b28fdcba17cdb02d5165de07c200d6
SHA1 hash:	a0ab73cf1b412db701e13f0097a948bf8e0f23de
MD5 hash:	811e46ee3cf822d89ec48c267a278d39
humanhash:	shade-double-jupiter-equal
File name:	6z0GZwvVSRNDV96.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	634'368 bytes
First seen:	2020-10-22 11:51:43 UTC
Last seen:	2020-10-22 13:22:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:IE9MQznu+y1o8CUL0OPYoZLUNOxlwDo7MelkR4y9A1GKZHNYPzodu:T9TzNC7Cc0t0UonBlkR4mA1GUKzod
Threatray	2'657 similar samples on MalwareBazaar
TLSH	8FD402106A9AAB33D77E87F5214C500AA771454F5322EB388DE37AE76965B00CFD0E93
Reporter	abuse_ch
Tags:	exe FormBook Outlook

abuse_ch

Malspam distributing unidentified malware:

HELO: APC01-PU1-obe.outbound.protection.outlook.com
Sending IP: 40.92.254.82
From: ezrealpan@hotmail.com
Reply-To: geimeg@quipo.it
Subject: FW RE New Contract Invoice
Attachment: New Doc.rar (contains "6z0GZwvVSRNDV96.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/74631/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.3789.24889.31163.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Sending a UDP request

Creating a window

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/507062

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9fa08af8ceadc9af473f443a5b8c8d0f3e40324df53c81a5da4f97ef946e160/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-22 08:15:47 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xh5arl4m5lojv5dt6rb2logi2dz6iaze35j4qgs5ut4x56kg4fqa._file

Verdict:

malicious

Label(s):

formbook

Formbook

5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c

Formbook

583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078

Formbook

6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241

Formbook

6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f

Formbook

6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c

Formbook

b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4

Formbook

dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8

Formbook

f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6

Formbook

f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324

Formbook

+ 2'647 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201022-jqheg1b1wa/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.bfboke.com/cpi/

Unpacked files

SH256 hash:

b9fa08af8ceadc9af473f443a5b8c8d0f3e40324df53c81a5da4f97ef946e160

MD5 hash:

811e46ee3cf822d89ec48c267a278d39

SHA1 hash:

a0ab73cf1b412db701e13f0097a948bf8e0f23de

Link:

https://www.unpac.me/results/9d1d41bc-e781-4452-8fae-cbbe5d438517/

SH256 hash:

31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b

MD5 hash:

0aebe46040ceb011e78506d4985fe3de

SHA1 hash:

218ac1e7b14a66c604ec3042f8486bed9cd4c2c1

Link:

https://www.unpac.me/results/9d1d41bc-e781-4452-8fae-cbbe5d438517/

SH256 hash:

36d45e0b806f7977c240783c820b62dc10f303b823a841faef084eb203309b9b

MD5 hash:

ff6c4c4c7ac3f64e5a103375beb1d8fd

SHA1 hash:

f8326be002a9eea69d24864ad480c07839120c34

Link:

https://www.unpac.me/results/9d1d41bc-e781-4452-8fae-cbbe5d438517/

SH256 hash:

d4fb0a8b9c22ac62d496e373a84ecfd4ff995ac7f42fd5a182c99d28b1ee8b23

MD5 hash:

088043172ff6b0898cb70ad48aebc204

SHA1 hash:

3c56969b1f938dda6d326e1d58e9f42f7266eaa0

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/9d1d41bc-e781-4452-8fae-cbbe5d438517/

Parent samples :

680e6e46c8bed6c48e63f6dab3409bb9cd05f6642084ef8b0d03898dacc500a7
fd5aa67ff2ae6837aaf729665b08947c23a7b5cbb1f0c9fba82ebb95ddafcf24
0bfa5712201676e9439c4624fd99b8ec2bba95ccd53fb67f0a289b0a8347fc7c
f755a2e09db3f63b7e9c035a488652b00ccb0678eca144db82e84e9e34345deb
b9fa08af8ceadc9af473f443a5b8c8d0f3e40324df53c81a5da4f97ef946e160
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819