MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
SHA3-384 hash: 35ae89cce639c5def215f5347d0d1aedb9e7925c27794780d5f658ad244a3b16fc4ee2b59105875b191977ae69d17739
SHA1 hash: bf4d399c6c29a0159243c4f2d30e7dade1d0a704
MD5 hash: dea5848e1a04b430b59500a4a5b1e067
humanhash: mango-fruit-indigo-alanine
File name:Outstanding statement.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:464'384 bytes
First seen:2020-10-05 11:23:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:5UH0ue6tKzQ/eMc61LBCZ2a8/CxVMlS8+Uiz/s8bSRw/GgRQfY:5sZeAKzGVNJBCEa5n8+Uiz05c6Y
Threatray 2'330 similar samples on MalwareBazaar
TLSH B8A47D25774AE6F4D27F59308066D1B20212BFE14D83611FAFD13E1BBDF2A58046EB92
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: linux3.webmastersindia.net
Sending IP: 207.58.177.91
From: accounts1 <accounts1@zaleship.com>
Subject: RE: Outstanding statement
Attachment: Outstanding statement.zip (contains "Outstanding statement.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68147/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
DNS request
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481294
Signature
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 293088 Sample: Outstanding statement.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 54 www.pchcmgrant.com 2->54 56 pchcmgrant.com 2->56 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 5 other signatures 2->70 11 Outstanding statement.exe 7 2->11         started        signatures3 process4 file5 48 C:\Users\user\AppData\Local\...\name.exe.lnk, MS 11->48 dropped 50 C:\Users\...\Outstanding statement.exe.log, ASCII 11->50 dropped 52 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 11->52 dropped 82 Injects a PE file into a foreign processes 11->82 15 Outstanding statement.exe 11->15         started        18 cmd.exe 1 11->18         started        20 cmd.exe 3 11->20         started        23 cmd.exe 1 11->23         started        signatures6 process7 file8 84 Modifies the context of a thread in another process (thread injection) 15->84 86 Maps a DLL or memory area into another process 15->86 88 Sample uses process hollowing technique 15->88 90 Queues an APC in another process (thread injection) 15->90 25 explorer.exe 15->25 injected 29 reg.exe 1 1 18->29         started        31 conhost.exe 18->31         started        44 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32 20->44 dropped 33 conhost.exe 20->33         started        46 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 23->46 dropped 35 conhost.exe 23->35         started        signatures9 process10 dnsIp11 58 www.juggfuckers.com 103.224.182.245, 49748, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 25->58 60 www.holisticskincarecompany.com 109.68.33.25, 49747, 80 GD-EMEA-DC-LD5GB United Kingdom 25->60 62 www.topsit.website 104.27.167.43, 49752, 80 CLOUDFLARENETUS United States 25->62 78 System process connects to network (likely due to code injection or exploit) 25->78 37 cmmon32.exe 25->37         started        80 Creates an undocumented autostart registry key 29->80 signatures12 process13 signatures14 72 Modifies the context of a thread in another process (thread injection) 37->72 74 Maps a DLL or memory area into another process 37->74 76 Tries to detect virtualization through RDTSC time measurements 37->76 40 cmd.exe 1 37->40         started        process15 process16 42 conhost.exe 40->42         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 10:59:52 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzp6kq4oaktjp6qvudax45uil75tuixlslkhgwpqkgiznwfzyeca._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14bd8d29b58463ac3b3422f269aad880b129cd6354d3a033614d254f8dde4569
Formbook
15af9bb36b7a51efea7ab70d98a29ef7059f4f5b7178fef0aaff0671bf6c9386
Formbook
27c2836a432ffef984ec91f36cd49097f0b01561bf3e2f3fde71cc5ecde70541
Formbook
2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
Formbook
63d643f5f17f5e621ef22e4c05a5d92c519376d0043c0958284d34ae206c0161
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
9107a8988792e1ec695a1d662a6b0f7668a6fbfb6352897c1f5bfe85addf2994
Formbook
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
Formbook
c6232f818d7c848dee9a6a653df75e0174e38362ff2e5f6040c5e7418af5f219
Formbook
e5d8344ae7d9f2641a4e564d0e6e1a6494e216e6a5be0355eb45190e25d11f8f
Formbook
+ 2'320 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201005-kl85dy9g2a/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.purebodyrecovery.com/rhk/
Unpacked files
SH256 hash:
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
MD5 hash:
dea5848e1a04b430b59500a4a5b1e067
SHA1 hash:
bf4d399c6c29a0159243c4f2d30e7dade1d0a704
Link:
https://www.unpac.me/results/fc4777d3-2acc-40b5-8cb6-29e51cfc1a98/
SH256 hash:
caca58c402adff09bbc6907211050ce93ba1ca9de7e272d9d0f37f101e6fa340
MD5 hash:
3880b837a1470737da64d3b682136cb0
SHA1 hash:
7670a024e615341a0c1f9c38ba088781210167fb
Link:
https://www.unpac.me/results/fc4777d3-2acc-40b5-8cb6-29e51cfc1a98/
SH256 hash:
00fbae02cdcd2438dbc3a8758e8e5dcc8bb86b26162c6b23c1edae3f0ccc918f
MD5 hash:
3c5e36539ea6b6ea02774b082f151ac6
SHA1 hash:
b0ed5a1f3bb540f8c5a08ec5909ec5f1fa59fcf5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/fc4777d3-2acc-40b5-8cb6-29e51cfc1a98/
Parent samples :
c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104
ec4ee2fa916e9fc280f06af0ceded7835693723ebbc6c60bd6e371b5d4ad006a
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
48fb5ca3a7323643cd3cab475e1e7615bf619ef568c2673f7e61e128d263a114
cb9826fb54d83c293531c905827920511bd9d7b259da01ac1e593d9d10aec334
8ce26cc2fb22fe3d89d7f4bd9ea925f0719ff9208b4e37b1f71b9d4e810bcc0c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 1f4cdd70a2168dcc26b55a9ec7f16987a56c4301b1c289bceef132b2400bfd07

Formbook

Executable exe c65fe5438e02a697fa15a0c17e76885ffb3a22eb92d47359f0519196d8b9c104

(this sample)

  
Dropped by
MD5 b58d41159f55da7e2613bd7b1dcd0f72
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1f4cdd70a2168dcc26b55a9ec7f16987a56c4301b1c289bceef132b2400bfd07
Cape
Cape
https://www.capesandbox.com/analysis/68147/

Comments