MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b
SHA3-384 hash: bf9c5378e1c42cc423f57139c794b4cb3a0ee9504fa69f54652ebfdc3efc878f9b8acccfcd3d71a888eecd432f42ff0d
SHA1 hash: e3c46815165d048bd876af725da5564d84248040
MD5 hash: d30e459a347f586a09e95332e40901eb
humanhash: white-lamp-spaghetti-five
File name:20200707_PO1757611.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:495'104 bytes
First seen:2020-08-27 08:23:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:c4NVpZh1d2dsxIDF++J8PRXNgRDQd+1Q58opH:hpZ5/Ih+M8PRd6Du+Rop
Threatray 54 similar samples on MalwareBazaar
TLSH 58B4126457BDCF09DAFE1BBA986D334203F27885E8B5E2C59F44C19B14E2BC149127A3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm38.hanmail.net
Sending IP: 203.133.180.226
From: 주식회사내담건설 <nd505@daum.net>
Subject: 견적요청_해성 _PO1757611.pdf.cab.gz
Attachment: PO1757611.pdf.cab.gz (contains "20200707_PO1757611.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51681/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/452415
Signature
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Detected FormBook malware
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 278567 Sample: 20200707_PO1757611.exe Startdate: 27/08/2020 Architecture: WINDOWS Score: 100 50 www.byticians.com 2->50 52 byticians.com 2->52 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 11 other signatures 2->66 11 20200707_PO1757611.exe 5 2->11         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\oGhZlCD.exe, PE32 11->38 dropped 40 C:\Users\user\...\oGhZlCD.exe:Zone.Identifier, ASCII 11->40 dropped 42 C:\Users\user\AppData\Local\...\tmp14D3.tmp, XML 11->42 dropped 44 C:\Users\user\...\20200707_PO1757611.exe.log, ASCII 11->44 dropped 70 Tries to detect virtualization through RDTSC time measurements 11->70 72 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->72 15 20200707_PO1757611.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 20200707_PO1757611.exe 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 74 Modifies the context of a thread in another process (thread injection) 15->74 76 Maps a DLL or memory area into another process 15->76 78 Sample uses process hollowing technique 15->78 80 Queues an APC in another process (thread injection) 15->80 24 explorer.exe 15->24 injected 28 conhost.exe 18->28         started        process9 dnsIp10 54 meriktuxtla.com 162.241.61.209, 49741, 49742, 49743 UNIFIEDLAYER-AS-1US United States 24->54 56 www.siprossii.com 185.53.177.74, 49740, 80 TEAMINTERNET-ASDE Germany 24->56 58 www.meriktuxtla.com 24->58 68 System process connects to network (likely due to code injection or exploit) 24->68 30 svchost.exe 1 17 24->30         started        signatures11 process12 file13 46 C:\Users\user\AppData\...\-2Alogrv.ini, data 30->46 dropped 48 C:\Users\user\AppData\...\-2Alogri.ini, data 30->48 dropped 82 Detected FormBook malware 30->82 84 Creates an undocumented autostart registry key 30->84 86 Tries to steal Mail credentials (via file access) 30->86 88 4 other signatures 30->88 34 cmd.exe 1 30->34         started        signatures14 process15 process16 36 conhost.exe 34->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 08:24:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtxx2lsiqayay4pgf5yrli746xkp2pj2hwdijqojuf75o54vnyfq._file
Verdict:
unknown
Similar samples:
013d92479d88b8e1c76b764f9362e1c101481b6c26ac40dacec77b7910ec7344
Formbook
1b70d8bec1085949c128725ae5a8b69ccaeda7c20fb1e7be0d6e9ff2b5ef1a85
Formbook
2d97cf9262ff136c4d4f42d29be1b0e119e48373acf969dbaf6aa0c188c5ab10
Formbook
3b70052787ba01b0f7d97fe6bb0278e739e0837d827769710e0514605ab6b474
Formbook
47a8274c13d1205f8651a7b2df233e51e59b369ce8250cc755ff61d422afa561
Formbook
483fc85417b647e1100ca61a281e1c2bce0d2a7d66db220f72ec4f1f2d7e2ab9
Formbook
82c21c0385cf81bd1bebb5be82fb080207e1189729202980c408151692637a02
Formbook
98d4b7190b6a816819aa380c586680a0b5129d9516d51a2eed25f6399c93b23a
Formbook
b2532be6f4f18504d0cdb50f75d84d41880203d3ad0d51a499ea8d48b2d97a64
Formbook
cb77918ae8d2691de468c12d6a6074156a81b7774eadbd7197038285140d94cc
Formbook
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200827-qd8v1xkp7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz aa770373b30c2f847684241a55b643723a77608f17b9dfd2fcd1e4b875bf2a4e

Formbook

Executable exe bcef7d2e4880300c71e62f7115a3fcf5d4fd3d3a3d8684c1c9a17fd777956e0b

(this sample)

  
Dropped by
MD5 a63319d8f30cd17c9a6814af1414f882
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/51681/
  
Dropped by
SHA256 aa770373b30c2f847684241a55b643723a77608f17b9dfd2fcd1e4b875bf2a4e

Comments