MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878
SHA3-384 hash: 7f61a78874e1befb2b709578a623eed473f791804d68d398ce3789eb5626920b1e338906ff17c2ab5840554604585146
SHA1 hash: 6c2cc300efeb241a58662318b54350a5f402648b
MD5 hash: 0d410db4a45077f0e62dc2bb81052b79
humanhash: nuts-lima-yankee-item
File name:B_73546629.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:462'848 bytes
First seen:2020-08-04 07:49:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:VHAgbCa8sGQTTLlKnjlMNsHIQ+ivJ2LKPyL33w:VHX8kTTLlIDHIxivJNSH
Threatray 5'839 similar samples on MalwareBazaar
TLSH D6A45C353C83D038C9350574A4385AD2FA293A793B558E5EF3AB128C5F426AB7B1B11F
Reporter abuse_ch
Tags:exe FormBook geo KOR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: whoismail.net
Sending IP: 211.115.64.87
From: 리지드코리아 <info@ridgidkorea.com>
Reply-To: 리지드코리아 <info@ridgidkorea.com>
Subject: Quotation Request' AUGUST
Attachment: B_73546629.lzh (contains "B_73546629.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38331/
Detection(s):
Win.Malware.Formbook-7399661-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/408858
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256677 Sample: B_73546629.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 72 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected FormBook 2->45 47 Sigma detected: Add file from suspicious location to autostart registry 2->47 49 .NET source code contains very large array initializations 2->49 7 bin.exe 2 2->7         started        10 B_73546629.exe 7 2->10         started        13 pcalua.exe 1 1 2->13         started        15 pcalua.exe 1 2->15         started        process3 file4 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Injects a PE file into a foreign processes 7->55 17 AddInProcess32.exe 7->17         started        20 WerFault.exe 7 7->20         started        33 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 10->33 dropped 35 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 10->35 dropped 37 C:\Users\user\...\bin.exe:Zone.Identifier, ASCII 10->37 dropped 57 Drops PE files to the startup folder 10->57 22 cmd.exe 1 10->22         started        24 bin.exe 3 10->24         started        signatures5 process6 signatures7 39 Maps a DLL or memory area into another process 17->39 41 Tries to detect virtualization through RDTSC time measurements 17->41 26 explorer.exe 17->26 injected 28 reg.exe 1 1 22->28         started        31 conhost.exe 22->31         started        process8 signatures9 59 Creates an autostart registry key pointing to binary in C:\Windows 28->59
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 09:37:13 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckosw5cvhpcnuvcoeq5i4rglpsxtwrdlui5df3lsph7c37votb4a._file
Verdict:
malicious
Similar samples:
07f7b852dc1cd3c5527fef6c09019b723a9e17ddc6b236c16e992784940b7a81
Formbook
13e11d298269b106ef9529e7cd3c659bc59b4acb040f521a682f55e49c4ae7a9
Formbook
1e82d551bb0693edad6a527c0355b59476d25afc326168b616205fe186ca5a30
Formbook
5bd5a94befaf51c0702273d144aa5d31fc88e7f677ea33ea98408450e1b535d7
Formbook
6cc43dcf0639d2b657784294b64c28b81daa90b4385e027a81015cc81f664953
Formbook
70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54
Formbook
85f9c52380c96ddf3aa66361640a6a6232a182d5d4437de8a3585fa0d216ebc4
Formbook
887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45
Formbook
ad5f1470fa21e384ec2d051aa602a8bf7c7f0cfb6c2926f7a55c5ad7038e9d07
Formbook
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
Formbook
+ 5'829 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200804-fb5yj2sm3e/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE
Formbook Payload
ServiceHost packer
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 74a5972b49c9ea0e32b4196db1fc3d083b43b06f0a6f253967fc0ede12d97736

Formbook

Executable exe 129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878

(this sample)

  
Dropped by
MD5 f6b32717b331b91b8339d23dfd9c5d56
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 74a5972b49c9ea0e32b4196db1fc3d083b43b06f0a6f253967fc0ede12d97736
Cape
Cape
https://www.capesandbox.com/analysis/38331/

Comments