MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
SHA3-384 hash: 09a8453df89cc46d4890111e7c4592d4a5cba267b1216ad9f7e16c4d128d9d8d2d02cca4b5427187d58cd3a7c7f7e236
SHA1 hash: a31f4e3185b00ac39a29c90e0526ea1aae42cc93
MD5 hash: 0278600e812f6b928722f884992e3abe
humanhash: avocado-magnesium-rugby-berlin
File name:payment copy pdf
Download: download sample
Signature Formbook
Create hunting rule
File size:1'090'560 bytes
First seen:2020-10-17 06:57:34 UTC
Last seen:2020-10-17 08:03:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:7mHu0Ex6z7zU1PpDdgCkUvktMo723MfDflS48N:6O0Ex6z7zcPAM13ag4
Threatray 2'506 similar samples on MalwareBazaar
TLSH B835399C325072DFC46BCD72CEA82C64EBA0787A431BC607945316ADAA5D987DF143F2
Reporter abuse_ch
Tags:FormBook payment copy pdf


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ekinci-insaat.com
Sending IP: 64.52.174.16
From: Account <info@ekinci-insaat.com>
Subject: Re: PAYMENT COPY FOR REFERENCE
Attachment: Payment Copy pdf.rar (contains "payment copy pdf")

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72475/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3450.9356.25874.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494332
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299616 Sample: payment copy pdf Startdate: 17/10/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM_3 2->42 44 7 other signatures 2->44 10 payment copy pdf.exe 3 2->10         started        process3 file4 30 C:\Users\user\...\payment copy pdf.exe.log, ASCII 10->30 dropped 54 Injects a PE file into a foreign processes 10->54 14 payment copy pdf.exe 10->14         started        17 payment copy pdf.exe 10->17         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 19 explorer.exe 14->19 injected process8 dnsIp9 32 www.healthcures.net 52.201.79.206, 49734, 49736, 80 AMAZON-AESUS United States 19->32 34 www.strongshack.com 19->34 36 2 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 netsh.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968/
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 22:40:41 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ouzz2ec4d5ktiizzgsnp6itnbdd6ohxzuqk4scsrqthvrvbtfua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1b4249b0b590b4166f62a4e9fff3dfccc4d46cca9173d9c669311738fd98d2dd
Formbook
37fa0d1153831bdf8c08560d18a83afc2ccede848883819536eb81497c63229f
Formbook
3efb5ed25276775c95cc60b4c8227a1401f5525d629148d393f5b85c25c565ec
Formbook
5c0c2689256894521ac0012bc464ad7e0d93c25c60b9df3dfe26b35d85d1713a
Formbook
63d643f5f17f5e621ef22e4c05a5d92c519376d0043c0958284d34ae206c0161
Formbook
82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b
Formbook
89bf15eae14f60d6acc308cead31f09459947626b9839bbbddbf76f00821fe3b
Formbook
99c4f75948b26af511bfa055db8d18567a3d662107e35e91102b5576f02acb84
Formbook
b19d067a87767c377a60981192e5edb9256ce11f7d663cdcae2af3d8d0c0c382
Formbook
d7d1d6057e7e731b75e1ba9579ccfe717334cc7b4f59324af1a0aa179db22e68
Formbook
+ 2'496 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201017-j2hhjsx3gn/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.labgrowndiamondex.com/ems/
Unpacked files
SH256 hash:
ffe74548548f271a751c06bfe26acdad559e1fb8b037d2c33122523bd0ce98ca
MD5 hash:
07e8efbbf2f7e1c70424c2ef83f42e00
SHA1 hash:
d55d8fe5ba8d9a74ecf111ca8d3a49089890d830
Link:
https://www.unpac.me/results/94cca26e-993b-4cb3-8c62-6764d7058cca/
SH256 hash:
f374683e6969508d1699541fe0a7ad4ff3136f9c1599575d585d5cdf319aced0
MD5 hash:
d16ad84faeb9dce1fd053aee0a65663e
SHA1 hash:
37ef355aa65249ba92770807d99969377e6af1b6
Link:
https://www.unpac.me/results/94cca26e-993b-4cb3-8c62-6764d7058cca/
SH256 hash:
6ccdc836fef242dc3f41cc3fe17721a0e6f66848bb697f90c207f5523e71531b
MD5 hash:
20bdfb97740c7258053e43fd7a681713
SHA1 hash:
4fe05735a46c84cce1a85fdba6b0d5e55aec8e4c
Link:
https://www.unpac.me/results/94cca26e-993b-4cb3-8c62-6764d7058cca/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/94cca26e-993b-4cb3-8c62-6764d7058cca/
SH256 hash:
1d41ac9ce1652f5837accce79b29ba45715497e0efe777d1847cfeb2568f3648
MD5 hash:
a2448645d5158a152a18417568c78cc7
SHA1 hash:
041175c451bf4d411b23c56da4d96e7eca59a47f
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/94cca26e-993b-4cb3-8c62-6764d7058cca/
SH256 hash:
e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
MD5 hash:
0278600e812f6b928722f884992e3abe
SHA1 hash:
a31f4e3185b00ac39a29c90e0526ea1aae42cc93
Link:
https://www.unpac.me/results/94cca26e-993b-4cb3-8c62-6764d7058cca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar cfc469e5794942566685a02ac6550a52e41a9d687891b2f8297364bee09c2ca4

Formbook

Executable exe e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968

(this sample)

  
Dropped by
MD5 b8563afffc2cbef6c18fd2926146e473
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72475/
  
Dropped by
SHA256 cfc469e5794942566685a02ac6550a52e41a9d687891b2f8297364bee09c2ca4

Comments