MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449
SHA3-384 hash: 2fba2d7cea51583d460a61b0f25d3317dbb58f47c3575bde57b220cd52cd6db5b5e6221dea4fa99805b21536efbd9b91
SHA1 hash: b49952ad0ca843161eb0007bd3a2d11d2658a0cd
MD5 hash: a2a428b257a59105a86bac5863d95a5b
humanhash: sodium-oven-potato-black
File name:유티아이테크-발주서 송부의건..exe
Download: download sample
Signature Formbook
Create hunting rule
File size:573'440 bytes
First seen:2020-10-26 10:09:54 UTC
Last seen:2020-10-26 11:58:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:0v6ADH2uzeiJJqmm3jArbzS1qYqMEYCR4CjUvdsRxD9C:6DHhJwmQM3zS1qYqSC6C4ORxD
Threatray 2'747 similar samples on MalwareBazaar
TLSH F7C4E02232889706E57D87BD5412C0306BF1BC86DB31D6697DE4BADF35B2F848B26712
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm46.hanmail.net
Sending IP: 203.133.180.234
From: UTITECH <wine1072@hanmail.net>
Subject: 유티아이테크-발주서 송부의건
Attachment: 유티아이테크-발주서 송부의건..gz (contains "유티아이테크-발주서 송부의건..exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/78980/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3915.21284.622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511568
Signature
.NET source code contains potential unpacker
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 304937 Sample: #Uc720#Ud2f0#Uc544#Uc774#Ud... Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 35 www.thaijasminewarren.com 2->35 37 thaijasminewarren.com 2->37 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 11 #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe 4 2->11         started        signatures3 process4 process5 13 #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe 11->13         started        signatures6 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Sample uses process hollowing technique 13->59 61 Queues an APC in another process (thread injection) 13->61 16 explorer.exe 13->16 injected process7 dnsIp8 29 zukcoc.com 192.185.112.16, 49753, 80 UNIFIEDLAYER-AS-1US United States 16->29 31 www.zukcoc.com 16->31 33 www.tuningyan.tech 16->33 39 System process connects to network (likely due to code injection or exploit) 16->39 20 NETSTAT.EXE 16->20         started        23 autofmt.exe 16->23         started        signatures9 process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 25 cmd.exe 1 20->25         started        process12 process13 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 23:19:03 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmdwexp2lvvigcl75dfjpy5qhfzqq3ci6boqusxqkml6yswzsreq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04cfc683167a0462256cdf6a6f29ae3e628b09ff0d6052b569edfb0ada348c10
Formbook
162fdb36fbbaff1589c43a9d4ee712e15e8e123a562e569fcee28db30b756396
Formbook
5248643a130c832416245ea6b33ab3724a81c4e4a36b2ea424dd1a5fc1dd7ac2
Formbook
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
Formbook
796283950089c8792456eb6b2f89a148de3def99691115ae7aadf8dc930d4d4a
Formbook
87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e
Formbook
af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a
Formbook
b3420cc90cce972045db0377a5c383ce049652650946b0c84f27280a7dbd1e38
Formbook
bfbf73201037462acf28b231212bc311a923ca797168533c3b4d233686f335ef
Formbook
d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
Formbook
+ 2'737 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-psp2cqb3x6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 737a0a98af8680ae43e71664f863147f13473480697767dee2dd0264623d0a90

Formbook

Executable exe bb07625dfa5d6a83097fe8ca97e3b03973086c48f05d0a4af05317ec4ad99449

(this sample)

  
Dropped by
MD5 02315370bebb36c0659a66a435b04e0a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 737a0a98af8680ae43e71664f863147f13473480697767dee2dd0264623d0a90
Cape
Cape
https://www.capesandbox.com/analysis/78980/

Comments