MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b78886eb93cead61694ece663e18be3eb323923ea4cd45d5372aa1b6b78a90f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b78886eb93cead61694ece663e18be3eb323923ea4cd45d5372aa1b6b78a90f
SHA3-384 hash: 925f8a21ee1507323adaee817a19d51da00af6128355eab5a151f07f277f5ef3edd7b8b9433a4f4d68f4ac130e0e0832
SHA1 hash: eae038b619d1462e39b11aee5f7f88419e32b09c
MD5 hash: 7de2eda92450f780d82a631b84a117d4
humanhash: connecticut-illinois-vermont-charlie
File name:Payment Invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:399'360 bytes
First seen:2020-08-04 06:39:14 UTC
Last seen:2020-08-04 08:20:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Aid3dFyHk+OKb0txeKoS82DG3MQxVFnfUkptg:Aid3dFntxeKZDGvnJ
Threatray 4'971 similar samples on MalwareBazaar
TLSH 3E84E03552B007E5D89F0F7EC6DEB90F57B490666212F38CCBAC5BBA88E3300465AD16
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.bengiamein.ml
Sending IP: 45.147.162.51
From: Abdul Financial Center<admin@bengiamein.ml>
Subject: Re: Proforma Invoice Settlement  
Attachment: Payment invoice.rar (contains "Payment Invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38194/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.63.27883.24219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408657
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Detected FormBook malware
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256564 Sample: Payment Invoice.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected FormBook 2->63 65 .NET source code contains potential unpacker 2->65 67 4 other signatures 2->67 10 Payment Invoice.exe 2 2->10         started        process3 process4 12 Payment Invoice.exe 10->12         started        signatures5 79 Modifies the context of a thread in another process (thread injection) 12->79 81 Maps a DLL or memory area into another process 12->81 83 Sample uses process hollowing technique 12->83 85 Queues an APC in another process (thread injection) 12->85 15 explorer.exe 4 6 12->15 injected process6 dnsIp7 45 www.mansiobok2.info 63.250.34.167, 49737, 80 NAMECHEAP-NETUS United States 15->45 47 www.671bifa.com 103.197.24.102, 49738, 49739, 49740 CLOUDIE-AS-APCloudieLimitedHK Hong Kong 15->47 49 www.2b47.com 15->49 39 C:\Users\user\AppData\Local\...\qrd0ymt0l.exe, PE32 15->39 dropped 57 System process connects to network (likely due to code injection or exploit) 15->57 59 Benign windows process drops PE files 15->59 20 colorcpl.exe 1 17 15->20         started        24 qrd0ymt0l.exe 2 15->24         started        26 qrd0ymt0l.exe 2 15->26         started        28 2 other processes 15->28 file8 signatures9 process10 file11 41 C:\Users\user\AppData\...\J58logrv.ini, data 20->41 dropped 43 C:\Users\user\AppData\...\J58logri.ini, data 20->43 dropped 69 Detected FormBook malware 20->69 71 Tries to steal Mail credentials (via file access) 20->71 73 Tries to harvest and steal browser information (history, passwords, etc) 20->73 77 2 other signatures 20->77 30 cmd.exe 1 20->30         started        32 qrd0ymt0l.exe 24->32         started        35 qrd0ymt0l.exe 26->35         started        75 Tries to detect virtualization through RDTSC time measurements 28->75 signatures12 process13 signatures14 37 conhost.exe 30->37         started        51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Sample uses process hollowing technique 32->55 process15
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b78886eb93cead61694ece663e18be3eb323923ea4cd45d5372aa1b6b78a90f/
Threat name:
Win32.Hacktool.SharpDAPI
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 18:18:59 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bn4iq3vzhtvnmfuu5ttghyml4pvteojd5jgnixktokvbw23yvehq._file
Verdict:
malicious
Similar samples:
22722e6e6da1ce062caad041e121b74af35678e455cfc0de59c3ea1eeb469520
FormBook
365e3684a18839132240dd98e0310b0e7c5e6ba4287efa34f67bf0ab52a33938
FormBook
3c758c3133fb2a7c7c51b2ec84028759bc99e1f3ca3bc22c1046d90f79801f76
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
4170e48189174a9cc84f6c019f454a20e30a35605be0f8e2a3e26a516e2c1090
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
FormBook
+ 4'961 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200804-18mq1glnbx/
Behaviour
Modifies Internet Explorer settings
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b78886eb93cead61694ece663e18be3eb323923ea4cd45d5372aa1b6b78a90f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 758dd8a77582709839093a4387bb8cf61f411cd6a84bc926ec844216d400743e

FormBook

Executable exe 0b78886eb93cead61694ece663e18be3eb323923ea4cd45d5372aa1b6b78a90f

(this sample)

  
Dropped by
MD5 7c8f0a246e9d868966df572655bcccf4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 758dd8a77582709839093a4387bb8cf61f411cd6a84bc926ec844216d400743e
Cape
Cape
https://www.capesandbox.com/analysis/38194/

Comments