MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23
SHA3-384 hash: 5128409646608c36687e0d6414004fab9bc890cf14f4c156ec19d96fbef9c2fde385072d4ec0d041aa7dda8f24922260
SHA1 hash: a6e71cbac6dcc82a28e6d5d179daf3bede137ff7
MD5 hash: 588c4ddbb8914423092006fd0827e73a
humanhash: hot-moon-one-sweet
File name:Request For Quotation.PDF.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:842'240 bytes
First seen:2021-02-20 11:26:02 UTC
Last seen:2021-02-20 12:47:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'635 x Formbook, 12'243 x SnakeKeylogger)
ssdeep 12288:Z9g6TuzocgZgVm2WCDa0YIefg/aaXwMBCYmU:ZFFZSm2ZAY/WM3mU
Threatray 3'849 similar samples on MalwareBazaar
TLSH CA056C59B09FA583D62E8CB66E5F507011E0677E8078D21D35E1A7BA81E7383201FE9F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: freyzmarketing.com
Sending IP: 188.138.122.57
From: Kerwin Naidoo <knaidoo@jdi-group.com>
Subject: Urgent: Request For Quotation
Attachment: Request For Quotation.PDF.gz (contains "Request For Quotation.PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118109/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42852.23597.19333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613272
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355652 Sample: Request For Quotation.PDF.exe Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 8 other signatures 2->45 10 Request For Quotation.PDF.exe 15 3 2->10         started        process3 dnsIp4 37 192.168.2.1 unknown unknown 10->37 29 C:\...\Request For Quotation.PDF.exe.log, ASCII 10->29 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->55 57 Injects a PE file into a foreign processes 10->57 15 Request For Quotation.PDF.exe 10->15         started        file5 signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 31 www.baterydaddy.com 212.32.237.101, 49763, 80 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 18->31 33 misbackupemails.com 184.168.131.241, 49765, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->33 35 2 other IPs or domains 18->35 47 System process connects to network (likely due to code injection or exploit) 18->47 22 cscript.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-20 10:13:41 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7l2axlaies3pqg57wk2dj6he6nmsoqaftezho5nsofxbfdjzqrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
5cd44014177c68a2e4bf08bdf8ec2e779c13a340cc830ad2c3a7a71676780b0d
Formbook
6275a11bba81d765d92e670a44888734f565eb11fd137a0ff852ed5df68c1d67
Formbook
657a164783b53dc028ca6024f4df09f9e4a9b289e0a3216d2c686ec091a224c0
Formbook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
Formbook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
Formbook
9e4326708091e0200c65e604aa974e6032c0533e2fa1e71d39f8d78ebacd8195
Formbook
a717f13ed10b05c55dea1f2551da0f2d2fb2e49cd153da93be3fdd618c5cee6a
Formbook
bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b
Formbook
c42f604b88f970d7f871de38dc87f4a2b9d53c8806139cd3e6aa0193110d5e63
Formbook
f12df428fa830292897aabb6f73c5ecf96e855e278c3320e21e45629c84bf9ef
Formbook
+ 3'839 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook agilenet rat spyware stealer trojan
Link:
https://tria.ge/reports/210220-razccmwzye/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Deletes itself
Obfuscated with Agile.Net obfuscator
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.silkcitytrade.com/oze/
Unpacked files
SH256 hash:
c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23
MD5 hash:
588c4ddbb8914423092006fd0827e73a
SHA1 hash:
a6e71cbac6dcc82a28e6d5d179daf3bede137ff7
Link:
https://www.unpac.me/results/c1a9d042-657b-4a6a-b584-d9700fc026e8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz d55b809f45901de2acf6462d5c13fd52f2fd25346f50a7e803fda665dfdd2329

Formbook

Executable exe c7d7a05d604125b7c0ddfd95a1a7c7279ac93a002cc993bbad938b709469cc23

(this sample)

  
Dropped by
MD5 35a0ec35833e4247a9222051880b5294
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118109/
  
Dropped by
SHA256 d55b809f45901de2acf6462d5c13fd52f2fd25346f50a7e803fda665dfdd2329

Comments