MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb
SHA3-384 hash: c8bf16729f4663e00ef4927f0f919e4fd7fbefaf4ce822c4035e557703f6e01489a8a6c896ad4875a72f22d996b933b5
SHA1 hash: 3515969d8adc26dcfc885d277f73f0d933497909
MD5 hash: 4ab79755dd0cb563ff1c45ab4f5584d5
humanhash: east-saturn-washington-ink
File name:RFQ#Q20182401.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'247'232 bytes
First seen:2020-10-07 05:06:24 UTC
Last seen:2020-10-07 08:14:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:vAHnh+eWsN3skA4RV1Hom2KXMmHaHkwdB8asP9heIO5rSzEaT5:Sh+ZkldoPK8YaHrf8/MIGSYG
Threatray 1 similar samples on MalwareBazaar
TLSH 2345BE02B3D1C036FFAB92739B6AF60556BD79254123852F13982DB9BC701B1227E763
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: carmens.it
Sending IP: 23.106.160.116
From: GajShield Infotech <sales@carmens.it>
Subject: RFQ#Q20182401//ORDER N°10014//New Suppliers Order/[OCT-DEC]
Attachment: RFQQ20182401.rar (contains "RFQ#Q20182401.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68778/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Enabling autorun by creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483663
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294282 Sample: RFQ#Q20182401.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 41 www.click2hr.com 2->41 43 click2hr.com 2->43 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 7 other signatures 2->71 11 RFQ#Q20182401.exe 4 2->11         started        15 wscript.exe 1 2->15         started        signatures3 process4 file5 37 C:\Users\user\perfmon\adalsql.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Roaming\...\consent.url, MS 11->39 dropped 81 Maps a DLL or memory area into another process 11->81 83 Tries to detect virtualization through RDTSC time measurements 11->83 17 RFQ#Q20182401.exe 11->17         started        20 adalsql.exe 15->20         started        signatures6 process7 signatures8 49 Modifies the context of a thread in another process (thread injection) 17->49 51 Maps a DLL or memory area into another process 17->51 53 Sample uses process hollowing technique 17->53 55 Queues an APC in another process (thread injection) 17->55 22 explorer.exe 17->22 injected 57 Antivirus detection for dropped file 20->57 59 Multi AV Scanner detection for dropped file 20->59 61 Binary is likely a compiled AutoIt script file 20->61 63 Tries to detect virtualization through RDTSC time measurements 20->63 26 adalsql.exe 20->26         started        process9 dnsIp10 45 pueblowestparking.com 207.174.212.181, 49746, 80 PUBLIC-DOMAIN-REGISTRYUS United States 22->45 47 www.pueblowestparking.com 22->47 73 System process connects to network (likely due to code injection or exploit) 22->73 28 svchost.exe 22->28         started        31 svchost.exe 22->31         started        75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Sample uses process hollowing technique 26->79 signatures11 process12 signatures13 85 Modifies the context of a thread in another process (thread injection) 28->85 87 Maps a DLL or memory area into another process 28->87 33 cmd.exe 1 28->33         started        89 Tries to detect virtualization through RDTSC time measurements 31->89 process14 process15 35 conhost.exe 33->35         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 02:16:04 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xv2syrvphubauv5csrmcbhytkumiscv5zlczgs3vjkh534qegxfq._file
Verdict:
suspicious
Similar samples:
f8ead6b4249948dc3a300ba676acbdf6cb85ef6aef32d6bea64e9b6eb5a75f73
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201007-67x8n21vxs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Modifies registry class
Suspicious use of SetThreadContext
Deletes itself
Drops startup file
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.defigravity.finance/prs/
Unpacked files
SH256 hash:
bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb
MD5 hash:
4ab79755dd0cb563ff1c45ab4f5584d5
SHA1 hash:
3515969d8adc26dcfc885d277f73f0d933497909
Link:
https://www.unpac.me/results/643df4fb-c466-4443-b3f4-c9e36a3e202a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar c60ab85d4915d451570e355916443fdf1e567ad7917fc6cc88dfa5a58dd3410c

Formbook

Executable exe bd752c46af3d020a57a29458209f135518890abdcac5934b754a8fddf20435cb

(this sample)

  
Dropped by
MD5 05d6bd5a3c216ecaa204d826ea1854d9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68778/
  
Dropped by
SHA256 c60ab85d4915d451570e355916443fdf1e567ad7917fc6cc88dfa5a58dd3410c

Comments