MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68
SHA3-384 hash: a13a037a6e0d71243a01124a8874efbd077ace39965e92f4db8ff0152e9f4dd9110f046cecaa1e255ff4361b82012b07
SHA1 hash: 3ddfc62340609c8756f2b78bf19b07edaff47be2
MD5 hash: 0ccd4cb701479094bd044e6c558c4662
humanhash: missouri-massachusetts-papa-solar
File name:PO Data2.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:506'880 bytes
First seen:2020-08-04 06:40:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:CIzC4AfotUD2iNVdQTXDdioq33k2+demtC8EP3bNm0ld:CIzfs919qhDq3+ZE82L46d
Threatray 5'397 similar samples on MalwareBazaar
TLSH D0B4BE25B461D801C3AE6637CECF441887EDEC0236A2DF2ABD9E33994502B67DD169CD
Reporter abuse_ch
Tags:Endurance exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: 162-241-205-158.unifiedlayer.com
Sending IP: 162.241.205.158
From: Paccagnini Marisa <marisa.pacagnini@pompetravaini.it>
Reply-To: Paccagnini Marisa <marisa.paccagnini@qualityservice.com>
Subject: Fw: Quotation Request
Attachment: PO Data2.zip (contains "PO Data2.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38197/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408662
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256567 Sample: PO Data2.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 54 www.rpueuetd.com 2->54 62 Malicious sample detected (through community Yara rule) 2->62 64 Yara detected AntiVM_3 2->64 66 Yara detected FormBook 2->66 68 6 other signatures 2->68 11 PO Data2.exe 3 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\PO Data2.exe.log, ASCII 11->52 dropped 92 Injects a PE file into a foreign processes 11->92 15 PO Data2.exe 11->15         started        signatures6 process7 signatures8 94 Modifies the context of a thread in another process (thread injection) 15->94 96 Maps a DLL or memory area into another process 15->96 98 Sample uses process hollowing technique 15->98 100 Queues an APC in another process (thread injection) 15->100 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 56 www.joomlas123.com 199.192.16.98, 49728, 80 NAMECHEAP-NETUS United States 18->56 58 www.cannachocolata.com 18->58 60 parkingpage.namecheap.com 198.54.117.216, 49736, 49737, 49738 NAMECHEAP-NETUS United States 18->60 46 C:\Users\user\AppData\...\b6b4_rchkhl.exe, PE32 18->46 dropped 76 System process connects to network (likely due to code injection or exploit) 18->76 78 Benign windows process drops PE files 18->78 23 raserver.exe 1 17 18->23         started        27 b6b4_rchkhl.exe 3 18->27         started        29 b6b4_rchkhl.exe 2 18->29         started        31 3 other processes 18->31 file11 signatures12 process13 file14 48 C:\Users\user\AppData\...\-LRlogrv.ini, data 23->48 dropped 50 C:\Users\user\AppData\...\-LRlogri.ini, data 23->50 dropped 80 Detected FormBook malware 23->80 82 Tries to steal Mail credentials (via file access) 23->82 84 Tries to harvest and steal browser information (history, passwords, etc) 23->84 90 2 other signatures 23->90 33 cmd.exe 1 23->33         started        86 Injects a PE file into a foreign processes 27->86 35 b6b4_rchkhl.exe 27->35         started        38 b6b4_rchkhl.exe 27->38         started        40 b6b4_rchkhl.exe 27->40         started        42 b6b4_rchkhl.exe 29->42         started        88 Tries to detect virtualization through RDTSC time measurements 31->88 signatures15 process16 signatures17 44 conhost.exe 33->44         started        70 Modifies the context of a thread in another process (thread injection) 35->70 72 Maps a DLL or memory area into another process 35->72 74 Sample uses process hollowing technique 35->74 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 06:42:07 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ya5oobg5gxj2zvuk4qtv3aahymabubcmgtb5lw6ffgo2nyokljua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16b59963cf5398fe9d50d18723bf7b78073a6fd4d1dfd3072b45b8852ead2d58
Formbook
22d5036d18a7dbaf7a67487165b4bca434220d5d066ba9f74bc1ad20eb37290a
Formbook
3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6
Formbook
4e16c663be416ebc214f67367811ccbfec46102cc9ecac856b91f58ff775885d
Formbook
6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
Formbook
8791d7218610249f735812d5d7f4f890e0e399c3efab189221bfe96732fc2b1e
Formbook
8825d54a98bbf629eac36f5a74a592a78d8463819c0f1e097e48ad5a235b92d9
Formbook
900a6f47b5d63eeb95728c0ec9ae469d31564cfbb1849b34549ac0f8de28fcde
Formbook
abdda3f05f9a29ab8ea6f45d5249f04168a17f3b64034a3596f8b0f1701db1a5
Formbook
ebb20ece00b9d35c26bb797dbbbd6df726473e198a53095cb232dc8042c18d7e
Formbook
+ 5'387 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200804-fz7xex7a36/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 3da88c81cee3bb8c463adde88ac1d1498228dec960b0c1b8ec912a17a1a1a88c

Formbook

Executable exe c03ae704dd35d3acd68ae4275d8007c3001a044c34c3d5dbc5299da6e1ca5a68

(this sample)

  
Dropped by
MD5 f23f403ca946a5d57ce47361c05a2c7a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38197/
  
Dropped by
SHA256 3da88c81cee3bb8c463adde88ac1d1498228dec960b0c1b8ec912a17a1a1a88c

Comments