MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8
SHA3-384 hash: d022979d672a7ce56882ad592719a4a4e80c175dc89b4bfafb636f0964bf99d43f108981702764ada1775ca9de14e5c2
SHA1 hash: 54401f53d1462ec07c85f2b57fdd30382163f3e0
MD5 hash: df7ce0eb16f62802bd212dd17f4f1468
humanhash: arizona-wisconsin-lemon-vegan
File name:Purchase order n
Download: download sample
Signature Formbook
Create hunting rule
File size:491'008 bytes
First seen:2020-10-20 08:57:15 UTC
Last seen:2020-11-04 15:28:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:co9A1GKZHNYPzod9I5EAZJumJ4aoIWQ4oTRKsBih:cQA1GUKzod9TAqg4vZ1EKs
Threatray 2'572 similar samples on MalwareBazaar
TLSH EAA4020465AAAF31E2BF07F6301C511597F1508D7BB7EAA81EE537EA2590BC08F58E13
Reporter abuse_ch
Tags:FormBook Purchase order n


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: messefrankfurt.com
Sending IP: 23.106.160.120
From: info@messefrankfurt.com
Subject: CAP20/1396 - Purchase order n° 828/2020
Attachment: Purchase order n\xB0 8282020.rar (contains "Purchase order n")

Intelligence

File Origin
# of uploads :
4
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73436/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497431
Signature
Binary contains a suspicious time stamp
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300930 Sample: Purchase order n Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AntiVM_3 2->41 43 8 other signatures 2->43 10 Purchase order n.exe 3 2->10         started        process3 file4 27 C:\Users\user\...\Purchase order n.exe.log, ASCII 10->27 dropped 13 Purchase order n.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.hotcountrystars.com 156.242.205.43, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 16->29 31 www.reneebyzoe.com 176.31.117.132, 49808, 80 OVHFR France 16->31 33 www.4006789517.com 45.38.68.229, 49837, 80 EGIHOSTINGUS United States 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 cscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8/
Threat name:
ByteCode-MSIL.Trojan.Agentesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 08:38:24 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzzmrsimfc4ftjfyv6iluz5nvmkdzwojpyunrqnrvn6zhya6jcua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f97d2c99964370b019145742e1d9322e9248fea3e149f00c10ca99807bcafa4
Formbook
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
Formbook
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
Formbook
93a0f97c3198a1ba4fafeb2c5fd7bd44f425cc5c9ad126880128d1ec22cc22ec
Formbook
9b9d8f51a8cf586b0380629f644676e0dce350466b06224523e01db393522339
Formbook
c611c4446e4604531e8e096508422fd01b23d26c424f9625d049e7edaf4f566a
Formbook
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
Formbook
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
Formbook
e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
Formbook
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
Formbook
+ 2'562 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201020-6n5kryx7ye/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.defigravity.finance/prs/
Unpacked files
SH256 hash:
be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8
MD5 hash:
df7ce0eb16f62802bd212dd17f4f1468
SHA1 hash:
54401f53d1462ec07c85f2b57fdd30382163f3e0
Link:
https://www.unpac.me/results/b9ccc87d-2a8f-4b79-863d-7bf603d5c5f7/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/b9ccc87d-2a8f-4b79-863d-7bf603d5c5f7/
SH256 hash:
6b4802acd9320c26c616800a761d58a273cc132620b32f2377bee27fbe0b1058
MD5 hash:
b95bf9ecb47f014cc7602ec81d1c9ad8
SHA1 hash:
ca527b8a1b3c18289d2122ce696d45f7d198bce5
Link:
https://www.unpac.me/results/b9ccc87d-2a8f-4b79-863d-7bf603d5c5f7/
SH256 hash:
7a4dd142fc7f6c2d035af88c8d40f3f8fd8d85cca3354bf9b3c3f70b03c79742
MD5 hash:
e5457ba9cbd3f6bda4909a49e536388d
SHA1 hash:
fc2b44e66f2a33edb2ec2198874831b71336bcd7
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/b9ccc87d-2a8f-4b79-863d-7bf603d5c5f7/
Parent samples :
9b9d8f51a8cf586b0380629f644676e0dce350466b06224523e01db393522339
93a0f97c3198a1ba4fafeb2c5fd7bd44f425cc5c9ad126880128d1ec22cc22ec
be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 3c07f878a02cece7a2206a3cdc92970487594cb261517ddb8d780fdc98b6f991

Formbook

Executable exe be72c8c90c28b859a4b8af90ba67adab143cd9c97e28d8c1b1ab7d93e01e48a8

(this sample)

  
Dropped by
MD5 fbe3c51eade37103f82ec9f200e6d7b0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73436/
  
Dropped by
SHA256 3c07f878a02cece7a2206a3cdc92970487594cb261517ddb8d780fdc98b6f991

Comments