MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
SHA3-384 hash: d27a4c27887031b4398e7fcfcba0e0f1b89a8c5320eb21d96e74eecce47d4bcbe8f8142ff3b6a9863ba5bdabb38e1d70
SHA1 hash: 118884c86a526fde7749147d484268ed3ea84278
MD5 hash: 331ab7f07e52835d3f9a3c6741c7cfcc
humanhash: winter-march-tennis-salami
File name:Metals USA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:779'264 bytes
First seen:2020-10-21 16:55:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5bEpX2u3HwHROZuOX4yEAhnP38q75FHlb7FXyqIPrc537EXuo/Xd2lKMl/J+l:NCH3LuOXnLPMqFj7oqsriLlo/X4lKY/
Threatray 2'602 similar samples on MalwareBazaar
TLSH 29F4E15E1214AAC1F71C363E98E82765D37AEBE06D72F65C5CC03499F963FA9002129F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: titania.dnshigh.com
Sending IP: 185.81.4.144
From: Lourenco Goncalves <info@metalsusa.com>
Reply-To: contac@tech-center.com
Subject: Metals USA / Request For Quotation
Attachment: Metals USA.zip (contains "Metals USA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74234/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506301
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302239 Sample: Metals USA.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 31 www.sdsolarco.com 2->31 33 sdsolarco.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 11 Metals USA.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\Metals USA.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 Metals USA.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.uwn5depranium.xyz 103.37.118.201, 49733, 80 VECTANTARTERIANetworksCorporationJP Japan 18->35 37 www.gestiondeproyectoscp6.com 104.28.5.208, 49732, 80 CLOUDFLARENETUS United States 18->37 39 www.bodrum-ua.com 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 rundll32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 16:28:28 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2s2fif232eafnr5lgtfhnyua6jkzx5b7u7zftfp5g5vskuurawq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0538ad6e3f92ea13a5a3dadb18e807ce26097bbfd2f473e873a514b6dbbe8f5d
Formbook
145880ed94e0db3cab65cb54db4728520f1ac5f95ff2b0dda2650233542dd706
Formbook
1d9958a0a083b0f134bf5c777e6cee112d30f6059e3f7d301cf78e3777b7a637
Formbook
2f7928f55bdc7b386f2163c027d9ac29cf2cee2dd29b54fee39f18bc8db8344b
Formbook
75f121f9048171649f3ba28afcd30a1dcd668266717b0d98e8bac88afe411fe7
Formbook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
Formbook
bfae046475f1458c460cf4eed534a48c8e769fbfc622138170c3945a4ad61a90
Formbook
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
Formbook
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
Formbook
e85f434810652692f3e0a0738d9156899afcbd2bed42a6f328f0092d72a1db34
Formbook
+ 2'592 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201021-ckrj6pmn5a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.goldenlinkpowerdeals.com/esp5/
Unpacked files
SH256 hash:
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
MD5 hash:
331ab7f07e52835d3f9a3c6741c7cfcc
SHA1 hash:
118884c86a526fde7749147d484268ed3ea84278
Link:
https://www.unpac.me/results/4443ce88-38fd-46b1-ac42-90c3782d5d44/
SH256 hash:
d61afd7ab581deb32347646a8d2c38cd4679367e507337870bbbf1de77cd21a9
MD5 hash:
f1bdd531bc75a9461335b2a4a6b8e648
SHA1 hash:
29a440e14159ca9563fa6feeaa49471aa8178131
Link:
https://www.unpac.me/results/4443ce88-38fd-46b1-ac42-90c3782d5d44/
SH256 hash:
4c9bbc4f98ee76f9035230cc86cdd3f40fd6b25d370159574d73e6ec53d5fc57
MD5 hash:
0d95e2418df51c60e2843aa805dec26d
SHA1 hash:
d74c67c9c7d939bfdb491c661a6efcfea3e8a136
Link:
https://www.unpac.me/results/4443ce88-38fd-46b1-ac42-90c3782d5d44/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/4443ce88-38fd-46b1-ac42-90c3782d5d44/
SH256 hash:
7ef2a597a5b46a2e2511fd29ec344fb6e46583800513811ab96970d2152bef23
MD5 hash:
14a2e7847436adc727b382c22e60f8c3
SHA1 hash:
7a6b823da8c0d6549a48f9a5c8cc3c234fef75cd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/4443ce88-38fd-46b1-ac42-90c3782d5d44/
Parent samples :
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
0dbc9167676da74b238155c1234be3891b57cb15441b8f985dfdf295bc858a41
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
c7a440c994771410363293be06d6af76be0ded9c4a706d4b2b16b333187942bb
f85b33feed6b4f002c008c9ab364290fea609966cde31700196eb924f2618c8a
1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

4af9155fa79cf818082c9241449159b1

Formbook

Executable exe bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d

(this sample)

  
Dropped by
MD5 4af9155fa79cf818082c9241449159b1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74234/

Comments