MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994
SHA3-384 hash: 4c2f8e4479d4e80e40d3f7e4571fb4b30ad4e52161cbdc32678c94bc7baeef5f3a7d06f2175fd65052e7c9a7755c81ef
SHA1 hash: f5ea3e038e1b8fe5c123a017a96c9faf83cbff2e
MD5 hash: 37b6dc50dc15a6abd7f6f84cef49ab85
humanhash: oxygen-double-alaska-neptune
File name:IMG.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:483'840 bytes
First seen:2020-07-21 14:03:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:2+fUYeG3jM3w6Y2QZAQArL4Y9vgQAscChEZKM0I3Cln1QMbRf1AZIyRw6TB:2IxK7Ss7hEAIy1LhA
Threatray 5'339 similar samples on MalwareBazaar
TLSH 7BA47C10D7B84AC9E3BA57BDE4B4011087B4B91AA7F6E7591B91F0E92C22350CB13F67
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30180/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Spy.21473.26424.19433.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/393304
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249020 Sample: IMG.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Sigma detected: Steal Google chrome login data 2->55 57 2 other signatures 2->57 10 IMG.exe 7 2->10         started        process3 file4 43 C:\Users\user\AppData\Local\...\IMG.exe.log, ASCII 10->43 dropped 71 Tries to detect virtualization through RDTSC time measurements 10->71 73 Injects a PE file into a foreign processes 10->73 14 IMG.exe 10->14         started        signatures5 process6 signatures7 75 Modifies the context of a thread in another process (thread injection) 14->75 77 Maps a DLL or memory area into another process 14->77 79 Sample uses process hollowing technique 14->79 81 Queues an APC in another process (thread injection) 14->81 17 explorer.exe 14->17 injected process8 dnsIp9 45 www.e-malata.com 144.168.72.164, 49723, 80 ESITEDUS United States 17->45 47 www.winning-step.net 17->47 49 www.cyanotoxic.com 17->49 59 System process connects to network (likely due to code injection or exploit) 17->59 21 systray.exe 1 19 17->21         started        signatures10 process11 file12 35 C:\Users\user\AppData\...\84-logrv.ini, data 21->35 dropped 37 C:\Users\user\AppData\...\84-logri.ini, data 21->37 dropped 39 C:\Users\user\AppData\...\84-logrf.ini, data 21->39 dropped 61 Detected FormBook malware 21->61 63 Tries to steal Mail credentials (via file access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 67 3 other signatures 21->67 25 cmd.exe 2 21->25         started        29 cmd.exe 1 21->29         started        signatures13 process14 file15 41 C:\Users\user\AppData\Local\Temp\DB1, SQLite 25->41 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 25->69 31 conhost.exe 25->31         started        33 conhost.exe 29->33         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 14:05:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqkn4bnpcsbvcqdztqwzxy6ibwrq26jy7xh7yixnzh3ob3cltgka._file
Verdict:
malicious
Similar samples:
0b3026ef214d1740de18fa48e13d8c5bddf67737a33fc07eabe0281f88f2ff5d
Formbook
261d9ecea1cd1ff4247b59e2d8f2d8ba4484811be97c1cad06f236dadf494139
Formbook
3e74b741a68d703cb4546e9ba5478df630079762b2d3ae2d6adce1d77ab8e132
Formbook
474af782fd84f7b982a4c49deeaf3431aeadd1e52528dc7dd8e3bb29bde9c40f
Formbook
4883c17b319dd863b75676586e283a6065e70e3f99e4264b167030aa9fec05d8
Formbook
6769e022c41fa821b705a29415f8ffd4be0fc7dc2619ef595e436637f849c0cd
Formbook
7654e7f6d4c0f38e9f771bf4c6d002b6e816d169afcabee3f028081a25b25506
Formbook
77be23825e937be7c4e100dd70233848523702b85fe2c5e622aa383748ac8e8a
Formbook
c2496731ce3417b90e7720b614d98a3ab2e9d8100ed2c5bea05525d5730241aa
Formbook
f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328
Formbook
+ 5'329 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200721-tajsgw3ty6/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30180/

Comments