MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd3ec8d78bf4d4284aaa15e4a0780feea1420774dc1ea841f77a02d93ec93303. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd3ec8d78bf4d4284aaa15e4a0780feea1420774dc1ea841f77a02d93ec93303
SHA3-384 hash: 49af6c0e3a77aa423ced146ad518c417757d61144133ec45a44856e7e942a44dc06e3cd3f315a25219a23f24ad6bdd12
SHA1 hash: 67c2b9629ba65da20dcee7739d3df6c617550468
MD5 hash: 6f8d000435de793b923807ed9b2c5d57
humanhash: carbon-cola-robin-monkey
File name:PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:803'840 bytes
First seen:2020-12-03 17:42:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:Q6pGIaejagOXPu57k0T1d9LPXLRcpk2JHL:L0neFOW57koLPXLRcpjJH
Threatray 3'064 similar samples on MalwareBazaar
TLSH 250528AD361172DFC867CD76CA681C64EA90B47B830BD343A05316EDAA4D99BCF141F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: chi-node74.websitehostserver.net
Sending IP: 107.6.158.222
From: AL KHAT AL RAQI CO, UAE <importacion@monsano.com.ec>
Subject: PI. NO. 134/2019 --2FCLS CANNED PINEAPPLE -. ADEN PORT SHIPMENT.
Attachment: PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.img (contains "PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106658/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/555006
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326607 Sample: PI. NO. 13420 CONFIRMATION ... Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 41 www.charlibelle.com 2->41 43 charlibelle.com 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 8 other signatures 2->57 10 PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.exe 5 2->10         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\XBpFjTOA.exe, PE32 10->33 dropped 35 C:\Users\...\XBpFjTOA.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmpC74B.tmp, XML 10->37 dropped 39 PI. NO. 13420 CONF...DETAILS_pdf.exe.log, ASCII 10->39 dropped 67 Injects a PE file into a foreign processes 10->67 14 PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 Queues an APC in another process (thread injection) 14->75 19 wscript.exe 14->19         started        22 explorer.exe 14->22 injected 25 conhost.exe 17->25         started        process9 dnsIp10 59 Modifies the context of a thread in another process (thread injection) 19->59 61 Maps a DLL or memory area into another process 19->61 63 Tries to detect virtualization through RDTSC time measurements 19->63 27 cmd.exe 1 19->27         started        45 www.bellasiris.com 74.208.47.167, 49745, 80 ONEANDONE-ASBrauerstrasse48DE United States 22->45 47 charlibelle.com 34.102.136.180, 49739, 49756, 80 GOOGLEUS United States 22->47 49 8 other IPs or domains 22->49 65 System process connects to network (likely due to code injection or exploit) 22->65 29 autofmt.exe 22->29         started        signatures11 process12 process13 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd3ec8d78bf4d4284aaa15e4a0780feea1420774dc1ea841f77a02d93ec93303/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:43:08 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xu7mrv4l6tkcqsvkcxska6ap52queb3u3qpkqqpxpibnspwjgmbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d7c03aa083b443c2cb1f0d296d9fc1afae5b9d1894bf4d1ba98b28568cd6ab3
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
525d7cd6b8b1fbb2dd7a3677290da462ad1457e481568729e3c60e7361c1f602
Formbook
5bd5a94befaf51c0702273d144aa5d31fc88e7f677ea33ea98408450e1b535d7
Formbook
7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7
Formbook
94bae4886fe8942d256a84af00ae297e560b1711272c0d7b05d89f98c8067890
Formbook
9728048925e7faf422c4d7bacfaa90fae8bdcc9efad8a0868b456f3d4b213d09
Formbook
b480eb7460b75d40b103d18ad084d425deb51890f5afc96354a44445ace090aa
Formbook
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
Formbook
be061510b405ee3bf30bd3c0b3d40e97ec35f64ec1699dccf83c4ad2ff097dfd
Formbook
+ 3'054 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201203-83w9pzjdcj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.hz007.net/sppe/
Unpacked files
SH256 hash:
9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f
MD5 hash:
7476e403eef14ac403c63c7279831780
SHA1 hash:
8387f558e30dc115987ac2b5c174a41302471abf
Link:
https://www.unpac.me/results/887c4c12-c262-40c2-a09f-5b83b374c5d9/
SH256 hash:
bd3ec8d78bf4d4284aaa15e4a0780feea1420774dc1ea841f77a02d93ec93303
MD5 hash:
6f8d000435de793b923807ed9b2c5d57
SHA1 hash:
67c2b9629ba65da20dcee7739d3df6c617550468
Link:
https://www.unpac.me/results/887c4c12-c262-40c2-a09f-5b83b374c5d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd3ec8d78bf4d4284aaa15e4a0780feea1420774dc1ea841f77a02d93ec93303

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 8a5ffe638706514f4fd1467d69f3b21fe1b32a2a28575b87913c449e5757251d

Formbook

Executable exe bd3ec8d78bf4d4284aaa15e4a0780feea1420774dc1ea841f77a02d93ec93303

(this sample)

  
Dropped by
MD5 4c4671eb036955707ef4bc9e74265fb6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106658/
  
Dropped by
SHA256 8a5ffe638706514f4fd1467d69f3b21fe1b32a2a28575b87913c449e5757251d

Comments