MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc207dbe79daf9a2da67fd90beef3fbe5db670288fd9c1da72ccda9c65d3d028. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc207dbe79daf9a2da67fd90beef3fbe5db670288fd9c1da72ccda9c65d3d028
SHA3-384 hash: cdc6a07e26de826da6e809e76cdaf76743b333c044544e3024eb34e5371d69f2d2380cde16b797d037596103ed701b26
SHA1 hash: 6e150649bd44e3c8023589eaadd2633b09a14d81
MD5 hash: e496718a8033ca85b0a6ff3ea197828c
humanhash: oregon-ack-zebra-queen
File name:orden de compra.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:394'752 bytes
First seen:2020-08-05 06:33:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:nBCcWYvTvJGrzDIT9xX04VIaXZXyfvTA6/1UKXwP3ALvSsm+G3up6g3MTjin+fPV:nf7MT0I0Z4vTDUKXwP3Azmtup4W+fKS
Threatray 4'959 similar samples on MalwareBazaar
TLSH 7C84017D00910267F62E1A7F5DB50A039E53C49F2639D2AF6B32108A853F72DBE51F29
Reporter abuse_ch
Tags:ESP exe FormBook geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server107.neubox.net
Sending IP: 174.136.28.112
From: Arturo Gomez Sánchez <proveedores@promedic.com.mx>
Subject: Re: orden de compra
Attachment: orden de compra.zip (contains "orden de compra.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38954/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410160
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257322 Sample: orden de compra.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 42 www.zenith.site 2->42 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Yara detected AntiVM_3 2->54 56 6 other signatures 2->56 11 orden de compra.exe 7 2->11         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\zDhkri.exe, PE32 11->34 dropped 36 C:\Users\user\...\zDhkri.exe:Zone.Identifier, ASCII 11->36 dropped 38 C:\Users\user\AppData\Local\...\tmpA87D.tmp, XML 11->38 dropped 40 C:\Users\user\...\orden de compra.exe.log, ASCII 11->40 dropped 66 Writes to foreign memory regions 11->66 68 Injects a PE file into a foreign processes 11->68 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 15->70 72 Maps a DLL or memory area into another process 15->72 74 Sample uses process hollowing technique 15->74 76 2 other signatures 15->76 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 44 www.polychips.com 112.121.183.178, 80 NETSEC-HKNETSECHK Hong Kong 20->44 46 www.bocapvang.net 20->46 58 System process connects to network (likely due to code injection or exploit) 20->58 26 msiexec.exe 12 20->26         started        signatures11 process12 dnsIp13 48 www.polychips.com 26->48 60 Modifies the context of a thread in another process (thread injection) 26->60 62 Maps a DLL or memory area into another process 26->62 64 Tries to detect virtualization through RDTSC time measurements 26->64 30 cmd.exe 1 26->30         started        signatures14 process15 process16 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc207dbe79daf9a2da67fd90beef3fbe5db670288fd9c1da72ccda9c65d3d028/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 00:43:23 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqqh3ptz3l42fwth7wil53z7xzo3m4bir7m4dwtsztnjyzot2aua._file
Verdict:
malicious
Similar samples:
2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3
Formbook
5919e2d01fbc46e0aedd07630294976681fbb688e1b226dab43e60309747a877
Formbook
7df633d240b956e23b7328ae7121f7efc2a80090dbe38f2e0138d90084a795fe
Formbook
aa4fad19caeb7d4d9abd68155eee268619442c6cfc8a69c2bc337dd4efdf4b4d
Formbook
c2100ac52466885fcb64010897d0c7a4178a5c00c47e13261f66976b38f26aaf
Formbook
c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03
Formbook
e3262e18e77da24473b5af2117f10a3121c8ed1a832c6e1b0f5a8f0d7e5fecda
Formbook
f19931c3ed4df0c75c53daf0e7af1cfe86fc369b0fe99c1557f0b3708a78e868
Formbook
f4156e15b465020e6687a23a63eb4b7c84a18f90ead4665087c6c2e5a09b455d
Formbook
ffaada37aa4934d94b43628a932058196e3e9d5b4375873fa440c8c2bde97326
Formbook
+ 4'949 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200805-18vw3jgg6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc207dbe79daf9a2da67fd90beef3fbe5db670288fd9c1da72ccda9c65d3d028

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip c36f38554da7bc44cfd05724102b03e721bbb40e379ebf31b8d63cf07ff8f9f6

Formbook

Executable exe bc207dbe79daf9a2da67fd90beef3fbe5db670288fd9c1da72ccda9c65d3d028

(this sample)

  
Dropped by
MD5 f16dc16710e9824bebf8b0aeb4d98202
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38954/
  
Dropped by
SHA256 c36f38554da7bc44cfd05724102b03e721bbb40e379ebf31b8d63cf07ff8f9f6

Comments