MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
SHA3-384 hash: 9b276cf4596a8bb9c744d0a60ad30a0c9fd892c0c2261dd93cf16f37a9ade169db1918ea1d3ac5ed1284183fa437cc9f
SHA1 hash: 981d97065f5f4374e68ee8d82f57e39ec68ffea4
MD5 hash: d43da6113a21cd0c01294c1ca7b2c23f
humanhash: floor-golf-eleven-arizona
File name:PAHO World Health Organization.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:828'416 bytes
First seen:2020-10-20 11:47:17 UTC
Last seen:2020-10-25 18:49:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8eTKdy5PKPH7O6lj6C62iNoRL5ROZudUMVw/1WSrsb/nqA5IdrB04yWi38MyMtf9:8Gt1Ka1/7roXmdrBmLsMNGa
Threatray 2'556 similar samples on MalwareBazaar
TLSH 8105CE7671D9AF10E02D4A3BC8A06461EBF6EC17DA12D46E7DDD368C5FB1BA10462B03
Reporter abuse_ch
Tags:exe FormBook WHO


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: spuredgecorp.com
Sending IP: 192.236.160.195
From: Dr Carlos Garzon Becerra <garzonc@paho.org>
Reply-To: garzonc.paho@teachers.org
Subject: PAHO World Health Organization / solicitud de presupuesto
Attachment: PAHO World Health Organization.zip (contains "PAHO World Health Organization.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73457/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497606
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301010 Sample: PAHO World Health Organizat... Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Yara detected AntiVM_3 2->39 41 Yara detected FormBook 2->41 43 4 other signatures 2->43 10 PAHO World Health Organization.exe 3 2->10         started        process3 file4 27 C:\...\PAHO World Health Organization.exe.log, ASCII 10->27 dropped 13 PAHO World Health Organization.exe 10->13         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 13->51 53 Maps a DLL or memory area into another process 13->53 55 Sample uses process hollowing technique 13->55 57 Queues an APC in another process (thread injection) 13->57 16 explorer.exe 13->16 injected process7 dnsIp8 29 www.moneytransfergas.com 195.149.84.101, 49754, 80 WORLD-NEWSGR United Kingdom 16->29 31 www.gestiondeproyectoscp6.com 172.67.169.35, 49763, 80 CLOUDFLARENETUS United States 16->31 33 www.jjautotransinc.net 16->33 35 System process connects to network (likely due to code injection or exploit) 16->35 20 wscript.exe 16->20         started        signatures9 process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 11:23:12 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yw73vrjds2lw4zzbc3s7wb6wzlqf2kyhw5e5baudujv46klhpw7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ba1cd5068eb222e21bf0f4799f531c5dc07849d4920d3410a78b4aef0559ac8
Formbook
201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
Formbook
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
77e828d113038623ccfca7e111b60675fd36ea404545f8ce828d7f8505244f0d
Formbook
7a990daaeb236dac7f6245626e92a4624c798b89e96d573abfd78d2b546af659
Formbook
7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
c1a6e1cdb47df8fdaea4c501aeef551c5608735a82078d2b32229570cb1c44af
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
Formbook
+ 2'546 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201020-6tx42ytks2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.goldenlinkpowerdeals.com/esp5/
Unpacked files
SH256 hash:
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
MD5 hash:
d43da6113a21cd0c01294c1ca7b2c23f
SHA1 hash:
981d97065f5f4374e68ee8d82f57e39ec68ffea4
Link:
https://www.unpac.me/results/33d070c9-7a32-4e6d-ae30-5769b9c7ee47/
SH256 hash:
0ad67bb3ed132a7caaece9c108a4158a35506ed2e2dc6e2fc9364a8cd8742087
MD5 hash:
805dd072dad901de82f26081d7741264
SHA1 hash:
a351ab734354628406ba0ba5e5b2054f4e4ac26f
Link:
https://www.unpac.me/results/33d070c9-7a32-4e6d-ae30-5769b9c7ee47/
SH256 hash:
d764a6fe2ba91015ef531dc0bead3a76f4ce544d8991326ce4f17df626702114
MD5 hash:
cdada93c26014eea1728ff48490fc1f4
SHA1 hash:
e1244346b79dd5e2ff12b084e89ab410892e3205
Link:
https://www.unpac.me/results/33d070c9-7a32-4e6d-ae30-5769b9c7ee47/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/33d070c9-7a32-4e6d-ae30-5769b9c7ee47/
SH256 hash:
7ef2a597a5b46a2e2511fd29ec344fb6e46583800513811ab96970d2152bef23
MD5 hash:
14a2e7847436adc727b382c22e60f8c3
SHA1 hash:
7a6b823da8c0d6549a48f9a5c8cc3c234fef75cd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/33d070c9-7a32-4e6d-ae30-5769b9c7ee47/
Parent samples :
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
93924f89733fd4e1534e19d833740a2667ff990ebab775d891b669b5c728014a
0dbc9167676da74b238155c1234be3891b57cb15441b8f985dfdf295bc858a41
1243c7dc1cfed0ab5eaad14206b0ef280338c865abb712bc6d677db77d850dcc
4c6cf8c0b7ada1e9d9336ba46a3526ce98e8a7fe5ea37f02948371b1d24b0e7e
c7a440c994771410363293be06d6af76be0ded9c4a706d4b2b16b333187942bb
f85b33feed6b4f002c008c9ab364290fea609966cde31700196eb924f2618c8a
1073ba2e8e0bd68474d83047931abe5e8e494f315a61c5fc75acf0392cbd8409
eba046a1103330eec33d061399ec4388c9bcfd7a514c3b9745b6330c22423c8f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 8249750375d83ace56f289f2c37811ca35b51241ebcff962fc3bb84a18e4fcf3

Formbook

Executable exe c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe

(this sample)

  
Dropped by
MD5 35a208c3a2c10d3cbdae6c00094aa1d6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73457/
  
Dropped by
SHA256 8249750375d83ace56f289f2c37811ca35b51241ebcff962fc3bb84a18e4fcf3

Comments