MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172
SHA3-384 hash: 8253c5278557081ced4c618c7bd42171e07d40ef544834e636447da42e1c42578ab3c02efb2aa6fba178bac2998a60fe
SHA1 hash: f7d516f6a33e73c8ef28f42a7e88cdb53116313a
MD5 hash: 9a90e2b4e5b8638e427fb956dfe6be5c
humanhash: magazine-king-burger-shade
File name:Profile & certification.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:789'504 bytes
First seen:2020-10-21 07:54:44 UTC
Last seen:2020-10-25 21:04:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:TunuE4YaX+AnGAtE6J5GgDipoF0z1TIO2nzaffa9A1GKZHNYPzod3fayY+qil3BY:Tunu1Ya5nG76jG2g/QzOmA1GUKzod
Threatray 2'582 similar samples on MalwareBazaar
TLSH D0F4AE98725075AFC66BCD369A681C24EA213C77531BC207902336AC9A3D6DBDF146F3
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: mail0.grandair.xyz
Sending IP: 143.110.228.46
From: DHL <no-reply@dhl.co>
Subject: Re:Re: D.H.L Parcel Notification
Attachment: Profile certification.7z (contains "Profile & certification.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73880/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.40442.18608.19809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505373
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 301714 Sample: Profile & certification.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 31 www.lucia179.com 2->31 33 www.hotnylonphoto.com 2->33 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AntiVM_3 2->45 47 5 other signatures 2->47 11 Profile & certification.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\Profile & certification.exe.log, ASCII 11->29 dropped 57 Injects a PE file into a foreign processes 11->57 15 Profile & certification.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.cyvape.com 45.128.153.84, 49764, 80 M247GB United Kingdom 18->35 37 www.sneakersdo.com 161.97.66.105, 49763, 80 CONTABODE United States 18->37 39 14 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 help.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 07:56:06 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6btd22fnus3ag7yjevt43emwrs5n6j5szgklcahnkbrdlmi46fza._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15d71d7a0b659fa5429a2e96d9185dad6aca0fe201dfa802b7fd0ef2b8211c76
Formbook
1b10d999126d02956f9d2fec22e0d83b560a5fa8fd873628a6df5650fefe48fd
Formbook
72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e
Formbook
72696d78e02a5f32462855866fee3ddba93f53a0a1bb84c58c98e84d623f3abd
Formbook
79fe9749c4a7e8297e056cc4f0fbed7130900cd9aa2be3a1339acde4a11ca171
Formbook
7ac0888e83ebfc1401796d95250dcfae864d1db479bd741bd44847722a03555e
Formbook
89c0e9f07b4245f97dccad1b925e19ad1a436b61c5fce2f2f12bc05c0042dcbe
Formbook
a0c73c5e7d039898c297b3e6d1c48bc7c32eae93a24b731a0c21717925dba028
Formbook
a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
Formbook
f2cb02b3c504a4db0b43f79aef0d63398d9b984ee84d07acd690a448b63b5636
Formbook
+ 2'572 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201021-gr6eg2kyrn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.leqi166.com/4psn/
Unpacked files
SH256 hash:
f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172
MD5 hash:
9a90e2b4e5b8638e427fb956dfe6be5c
SHA1 hash:
f7d516f6a33e73c8ef28f42a7e88cdb53116313a
Link:
https://www.unpac.me/results/f4519366-a131-471a-ab16-4e2bc6469d8d/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/f4519366-a131-471a-ab16-4e2bc6469d8d/
SH256 hash:
da15597867f9403fa033d49f18da8f52502c7ff1d78415422927ec1b5894e5c7
MD5 hash:
af7a176f551da0957b86926ff397eb17
SHA1 hash:
797c7d2a57825dc738c914183a05bb54ed02dfcc
Link:
https://www.unpac.me/results/f4519366-a131-471a-ab16-4e2bc6469d8d/
SH256 hash:
1678deab10004c019646c0c7392d177cab195ec5e92a3711eabe076c85d6afb8
MD5 hash:
78fdfa0a1e1265bfa1c6fc5980be960a
SHA1 hash:
493dbf7ca10c67178ec1443132604749f4a9ecf4
Link:
https://www.unpac.me/results/f4519366-a131-471a-ab16-4e2bc6469d8d/
SH256 hash:
1dd6a152739479ce4fa562c5070fbb22e73688ac5bba113149d94e32e9006366
MD5 hash:
3903ec5d571981ba9c277550311852ad
SHA1 hash:
b291ab771c7bac078973aaffde8bfbb6c32ac5b5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/f4519366-a131-471a-ab16-4e2bc6469d8d/
Parent samples :
1b10d999126d02956f9d2fec22e0d83b560a5fa8fd873628a6df5650fefe48fd
72339a82b3bca6e89bd9b29a5e6214a4dab154275ca6ef0c06fee6ac1847df3e
f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172
3e27409e26109793a8a424e232d605acf75360ac30027f5553f780b06ca0dffb
a69b4e5b81128406fd2d580b13e8efc633a1af50c80ab5ee6c0be8c4b241a28b
4251026babadcdbe35d2bd5ac89c51f3a1752df2c49ff6fdb352ba5c1b509245
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z eaf586e901cebf18a97993cd064259a714d3d952d3250b502908f84905d8d649

Formbook

Executable exe f0663d68ada4b6037f092567cd91968cbadf27b2c994b100ed506235b11cf172

(this sample)

  
Dropped by
MD5 ddee10f24c19eaad27faafa9e8f2937f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73880/
  
Dropped by
SHA256 eaf586e901cebf18a97993cd064259a714d3d952d3250b502908f84905d8d649

Comments