MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
SHA3-384 hash: d57aa6eb360d4379323d6102f23d6cf4959e0cc838d23130f6facbfe1905307e068b5b2f7f8001972b499701c28c3efd
SHA1 hash: d62f8c01a7053d10964ee4f8f89b3d69dff5e8e2
MD5 hash: 4b575647d0c60199728b0c8756c01a0b
humanhash: pluto-twelve-december-seventeen
File name:ORDER7538EAR90LBT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:903'680 bytes
First seen:2020-10-23 09:31:51 UTC
Last seen:2020-10-23 11:22:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'620 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:g3AEWjyUEbrJC6/QsGYtPTvh9CmYj7C4roRDyU0ExXYvnwVuzD7/I7gg:gQEWjyUEbrJCh07ZKjWNxXcnL307
Threatray 2'680 similar samples on MalwareBazaar
TLSH 9715DF0253E89F18F5BF93389964040097F9BC46A72BD2ADBDD140DF1DA2F818F56B26
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: dlveltex.co
Sending IP: 111.90.140.219
From: Sebastian <Sebastian@dlveltex.com>
Subject: Attached selected items and confirmed copy of quotation for your reference.
Attachment: ORDER7538EAR90LBT.rar (contains "ORDER7538EAR90LBT.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75006/
Detection(s):
SecuriteInfo.com.Artemis4B575647D0C6.2336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507999
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 303120 Sample: ORDER7538EAR90LBT.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 41 www.paramountnorth.com 2->41 43 paramountnorth.com 2->43 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 10 other signatures 2->57 11 ORDER7538EAR90LBT.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...TPYkEDfmoGRZA.exe, PE32 11->33 dropped 35 C:\...TPYkEDfmoGRZA.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmpB187.tmp, XML 11->37 dropped 39 C:\Users\user\...\ORDER7538EAR90LBT.exe.log, ASCII 11->39 dropped 67 Tries to detect virtualization through RDTSC time measurements 11->67 69 Injects a PE file into a foreign processes 11->69 15 ORDER7538EAR90LBT.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 45 paramountnorth.com 34.102.136.180, 49752, 49754, 80 GOOGLEUS United States 20->45 47 www.sgssts.com 45.203.105.90, 49753, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 20->47 49 4 other IPs or domains 20->49 59 System process connects to network (likely due to code injection or exploit) 20->59 26 cmmon32.exe 20->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 08:23:43 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dsjylysuopra3gdispmsizglo242egywz6mld2fogoj5vfwm3yq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
Formbook
3ba3652f91657ae971efd9b9f9b6e6ebee6dbe4e23c2837825d21c7bd7997aac
Formbook
4ffeba70e305d0d745d9a60fb8a78cc3f161c3fe4a7373c2303be8f095426abd
Formbook
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
Formbook
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
Formbook
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
Formbook
cc15e8a9e04355389815d8a7be4c34746c87a2a9d672e426c01b00ad0a583069
Formbook
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
Formbook
+ 2'670 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201023-bdahla6z46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.sgssts.com/g456/
Unpacked files
SH256 hash:
d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1
MD5 hash:
4b575647d0c60199728b0c8756c01a0b
SHA1 hash:
d62f8c01a7053d10964ee4f8f89b3d69dff5e8e2
Link:
https://www.unpac.me/results/b17acacc-6403-47b2-a1c8-fe99a28098c1/
SH256 hash:
8327dbe9e52d03f6366076ffbe87156994f0495e3654be0d894873517b792e70
MD5 hash:
0da48742b4b01e6bd95bec2bcf5aa2d3
SHA1 hash:
66a2a7ebbbda14823f6c68efdb185de53d7aab3c
Link:
https://www.unpac.me/results/b17acacc-6403-47b2-a1c8-fe99a28098c1/
SH256 hash:
d501e2d7d3d36da327d12892cd35dce48dddd4cb5ca20695d91b75854b3434df
MD5 hash:
00ed5ac60939b0d8c1c0e61f95115f9b
SHA1 hash:
b2f4bc18bf77535365c3f033e9d6a58ed555fce3
Link:
https://www.unpac.me/results/b17acacc-6403-47b2-a1c8-fe99a28098c1/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/b17acacc-6403-47b2-a1c8-fe99a28098c1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 77fb1a4c32309306a6a2cbec591495354543330dde488565b7eab4019d14158e

Formbook

Executable exe d8e49c2f12a39f106cc3449ec923265bb5cd10d8b67cc58f45719c9ed4b666f1

(this sample)

  
Dropped by
MD5 21a650e96f43d6ffc0a399e89859955b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75006/
  
Dropped by
SHA256 77fb1a4c32309306a6a2cbec591495354543330dde488565b7eab4019d14158e

Comments