MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
SHA3-384 hash: 68219753fc3a60ad0f59d7782733da6a63e602de9251423421d7f8367a9a563c627b41979b82ffeb97280f10018b6c53
SHA1 hash: c0ba31015b7866f6ca9cba58fb26a807ca5ad6a1
MD5 hash: 9e253536cdf9c8ff66ccc8b18d294441
humanhash: chicken-august-wyoming-nebraska
File name:Vghj5O8TF2rYH85.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:891'392 bytes
First seen:2021-02-06 08:27:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:yZi970AuR5CQFq+l4u+uhWe4ppngT0n8pbYr9ANFu5ogg8BWO4LM3Z2l2:yZh5CQJ7+e4pRjoYr9AXu5zgk4Q3Y
Threatray 3'760 similar samples on MalwareBazaar
TLSH EB15029A2F784B0DC2252FF306F5D11463BA9C25286DC309FEB135D9A676F8809807E7
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: sonic315-22.consmr.mail.ne1.yahoo.com
Sending IP: 66.163.190.148
From: abdul rehman memon <seyani_1234@yahoo.com>
Subject: : Fwd: Wire Transfer Payment
Attachment: HBSCXXX6.rar (contains "Vghj5O8TF2rYH85.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Vghj5O8TF2rYH85.exe
Verdict:
Malicious activity
Analysis date:
2021-02-06 08:29:30 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/7f64f374-7477-47ff-93cd-902bcd25d772

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115923/
Detection(s):
SecuriteInfo.com.Artemis9E253536CDF9.913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/601047
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349542 Sample: Vghj5O8TF2rYH85.exe Startdate: 06/02/2021 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 10 Vghj5O8TF2rYH85.exe 3 2->10         started        process3 file4 29 C:\Users\user\...\Vghj5O8TF2rYH85.exe.log, ASCII 10->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 10->55 57 Injects a PE file into a foreign processes 10->57 14 Vghj5O8TF2rYH85.exe 10->14         started        signatures5 process6 signatures7 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 Queues an APC in another process (thread injection) 14->65 17 explorer.exe 14->17 injected process8 dnsIp9 31 dgcsales.net 184.106.16.223, 49763, 80 RACKSPACEUS United States 17->31 33 www.besteprobioticakopen.online 94.23.162.163, 49766, 80 OVHFR France 17->33 35 22 other IPs or domains 17->35 47 System process connects to network (likely due to code injection or exploit) 17->47 21 NETSTAT.EXE 12 17->21         started        signatures10 process11 dnsIp12 37 www.lengyue.cool 21->37 49 Modifies the context of a thread in another process (thread injection) 21->49 51 Maps a DLL or memory area into another process 21->51 53 Tries to detect virtualization through RDTSC time measurements 21->53 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-06 03:43:36 UTC
AV detection:
33 of 47 (70.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqeotldmpbo6mdd2mxbhrrdwczogmbkhmrp7gswoen3h5ywrmaqq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
Formbook
148007b32a311769a958c3f87c6c836b14457f17dbe6a9a0188b0f68b3c30b40
Formbook
17adca833d9ccaf731ac41830d08db7b447ff391ce54052532d4d90fb4594a40
Formbook
238dd9cb9b1c235e2babbc3f3b1372da8d76e4d94a4440776814957e0fd09f0b
Formbook
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
Formbook
86879b01844ab067722fd2ca12bf5a666136348ca9a7f72a33ca42d9707e84d0
Formbook
9bbf5d9bbd2233a988ab0404217e8750154c3f93aef5555ba7cdbc94d23257b1
Formbook
c826a0b0506ddc4d93aba9f41ed795a88cca8bdb8c54f4af5d8dbdf9767e9ad3
Formbook
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
Formbook
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
Formbook
+ 3'750 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210206-rf4j7nvbt6/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.besteprobioticakopen.online/uszn/
Unpacked files
SH256 hash:
1820c232000eaca2b342006581d1e0743ff2166f57f917b8691901867e7ad3e0
MD5 hash:
cc0ba93bd12ee998cacab013043ff2c6
SHA1 hash:
c5ca7761965d1eedceaab08eb3bc06963292bd87
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e2272a8-f6d9-49b1-a6a2-79a945250099/
Parent samples :
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
00b4306bf3aa94183358ece86c01bb245ca2e39ba0a2d56f5b9d8b50c3ba3e91
fe30613b322753635f37763ebfeb63e065629b56e2924e51dc188f24be3f05d6
f1cb70b8963d11aab0392a24161c0851f2d320d62aa101c3f960bcf0d7d94619
17adca833d9ccaf731ac41830d08db7b447ff391ce54052532d4d90fb4594a40
c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
87b9a54e05cadec6a6ba97a28c1de2b59b47987dcac4781203dc4811b2d33e24
ddaa3b6f19f3e7b9a6e8ebe8188ceea0d1bb0c285a0b2d783c8d0cc7005e37a6
SH256 hash:
a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720
MD5 hash:
11e80c54bfeff7f0c120dae46df0a8be
SHA1 hash:
d597b9b0dcac06f0aa00a931bb90de8eba564651
Link:
https://www.unpac.me/results/8e2272a8-f6d9-49b1-a6a2-79a945250099/
SH256 hash:
09585c4711ad56c3cbe04b9c8c4f9334292e55f80b8f1a662e600705d28d9306
MD5 hash:
a9d851de21599c3d32f3b88510c5a305
SHA1 hash:
37610ec1a3c0c5ed9bc7505bab143183a7d5b338
Link:
https://www.unpac.me/results/8e2272a8-f6d9-49b1-a6a2-79a945250099/
SH256 hash:
c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021
MD5 hash:
9e253536cdf9c8ff66ccc8b18d294441
SHA1 hash:
c0ba31015b7866f6ca9cba58fb26a807ca5ad6a1
Link:
https://www.unpac.me/results/8e2272a8-f6d9-49b1-a6a2-79a945250099/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f318498366c1759eadbbc3b67a64c7f85f828f79bac7b54e998a59adb468f348

Formbook

Executable exe c408e9ac6c785de60c7a65c278c476165c660547645ff34ace23767ee2d16021

(this sample)

  
Dropped by
MD5 b5723b81374b2f6bebd841f8c172172f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/115923/
  
Dropped by
SHA256 f318498366c1759eadbbc3b67a64c7f85f828f79bac7b54e998a59adb468f348

Comments