MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b
SHA3-384 hash: 1847606d096aa650b0f0ae5c8200883bee34dd23f1276710dc521eafd31b1ee46131188c9e369facad7952ff75de74d0
SHA1 hash: c0c4aebf9ceaabf11b5ca27b064dd148d2799f5a
MD5 hash: 6edaa85ec183111382960acc4d979a4a
humanhash: oklahoma-mango-diet-mango
File name:SMTC_027.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:563'712 bytes
First seen:2020-07-21 15:54:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:BrAiY6OLJhKlcfz2iNtt1bM/WQ9araNB/nH:BcVFecb1spPH
Threatray 2'274 similar samples on MalwareBazaar
TLSH DFC4BF39BA928834C43806F5D5FE9AE76179A5253712C71E73DA2338CF0309BBB5512B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: WIN-XKVH3Q4DBSF
Sending IP: 103.153.79.148
From: Agricola Livon <bogachdds@gmail.com>
Subject: ordine
Attachment: SCMT009.doc

Formbook payload URL:
https://magadariable.com/SMTC_027.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30269/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389.19539.26713.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/393455
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249068 Sample: SMTC_027.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 34 www.teenytinypreschool.com 2->34 36 onuniverse.com 2->36 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 3 other signatures 2->46 11 SMTC_027.exe 2 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 11->30 dropped 32 C:\Users\user\AppData\...\SMTC_027.exe.log, ASCII 11->32 dropped 54 Writes to foreign memory regions 11->54 56 Allocates memory in foreign processes 11->56 58 Injects a PE file into a foreign processes 11->58 15 InstallUtil.exe 11->15         started        signatures6 process7 signatures8 60 Modifies the context of a thread in another process (thread injection) 15->60 62 Maps a DLL or memory area into another process 15->62 64 Sample uses process hollowing technique 15->64 66 2 other signatures 15->66 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.svgraal.com 18->38 21 wlanext.exe 18->21         started        24 autoconv.exe 18->24         started        process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 26 cmd.exe 1 21->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 15:56:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ku3qiiosvc37ecgqmykhl7hbs7cmfelsrsyysp7o7gvtrztcf5q._file
Verdict:
malicious
Similar samples:
141db63f511b843acf5d8a10f095333482850ed727da867bf39b83694b963ae6
Formbook
3df6c5354d1899b7249078b6aec00872710092c2328c0a3e20c79409f42adad4
Formbook
436ee1bd9706512d8884d07a51f806155ca2d95b3a584ceb57a87260cf19690d
Formbook
4923037fb58a4491f08c85e0cf38a74d92dd36860932814170dc942a031bad2f
Formbook
49a63eb1c6fd5d4b22396bb8a8397c3bf124c3f94d104bc2a7a304f4457b4526
Formbook
7c2b01523e8d8a1ea6d09a426ad2a8fb88ec84bb9d3d0c42743b86ab16bd54c7
Formbook
83ef26bdf4b6b513417a97c8997aa2152bc0fb0f0af9d0b30cf6a46d4959ce38
Formbook
c28dd2a205a6cf402e62ce719f27e14eb601ce6abedfc0fcc84cc7c5028da045
Formbook
d3e1f5cc557fedb2c060faa7f234f4a09ba408c428e1c2275b2e713e0bf68db7
Formbook
db976b273e92b605275bbe6c8590f3ef6687faa0effc351a35d15af1f8fc1c3a
Formbook
+ 2'264 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200721-1ec1kcl9w2/
Behaviour
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Word file doc 11b82caa0f95b6698a8c5db7c0f4fbc7dee37c74443ad402775fa14a2fb6d712

Formbook

Executable exe f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/416088/
  
Dropped by
MD5 d9bf85bcab692598de322beec70897a3
  
Dropped by
SHA256 11b82caa0f95b6698a8c5db7c0f4fbc7dee37c74443ad402775fa14a2fb6d712
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30269/

Comments