MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152
SHA3-384 hash: 70ac7763638e585164c101a94e87d9b4042bed2966b460d6459d786204f7ae8c552dffa215cef120a11a0a97e23d55c6
SHA1 hash: 9a7dac079b6e2b24bfe23c5b93169896049541c2
MD5 hash: 3107fe78467be72512d5a40c7eef1cd8
humanhash: johnny-november-echo-uncle
File name:Quote_signed_copy,pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:484'864 bytes
First seen:2020-07-16 08:35:29 UTC
Last seen:2020-07-16 10:05:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:Yke2k4zUQp0YARNLZffZcseDSg/k45dIHmzRNb0OBgo1:HThARJZfhIj/kk+m
Threatray 5'626 similar samples on MalwareBazaar
TLSH 3BA47BDC3510759EC51E8D768964DC70AA202C62F7FBD20763C36D9FB93C69BCA112A2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.richermoren.gq
Sending IP: 216.198.95.145
From: T. Chan <export@richermoren.gq>
Subject: NEW QUOTATION & AGREEMENT--SOK
Attachment: Quote_signed_copy,pdf.iso (contains "Quote_signed_copy,pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26556/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.27941.18491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389483
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246925 Sample: Quote_signed_copy,pdf.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 57 www.m8mcprajis.promo 2->57 59 www.celinedecruz.com 2->59 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 6 other signatures 2->81 11 Quote_signed_copy,pdf.exe 1 2->11         started        signatures3 process4 file5 53 C:\Users\...\Quote_signed_copy,pdf.exe.log, ASCII 11->53 dropped 97 Tries to detect virtualization through RDTSC time measurements 11->97 99 Injects a PE file into a foreign processes 11->99 15 Quote_signed_copy,pdf.exe 11->15         started        signatures6 process7 signatures8 101 Modifies the context of a thread in another process (thread injection) 15->101 103 Maps a DLL or memory area into another process 15->103 105 Sample uses process hollowing technique 15->105 107 Queues an APC in another process (thread injection) 15->107 18 explorer.exe 1 6 15->18 injected process9 dnsIp10 61 marquesdelcerro.com 193.42.143.110, 49733, 80 IKOULAFR Spain 18->61 63 www.marquesdelcerro.com 18->63 65 2 other IPs or domains 18->65 45 C:\Users\user\AppData\Local\...\msonyl-6n.exe, PE32 18->45 dropped 83 System process connects to network (likely due to code injection or exploit) 18->83 85 Benign windows process drops PE files 18->85 23 rundll32.exe 1 19 18->23         started        27 msonyl-6n.exe 1 18->27         started        29 msdt.exe 18->29         started        file11 signatures12 process13 file14 47 C:\Users\user\AppData\...\91Plogrv.ini, data 23->47 dropped 49 C:\Users\user\AppData\...\91Plogri.ini, data 23->49 dropped 51 C:\Users\user\AppData\...\91Plogrf.ini, data 23->51 dropped 87 Detected FormBook malware 23->87 89 Tries to steal Mail credentials (via file access) 23->89 91 Tries to harvest and steal browser information (history, passwords, etc) 23->91 95 2 other signatures 23->95 31 cmd.exe 2 23->31         started        35 cmd.exe 1 23->35         started        37 msonyl-6n.exe 27->37         started        39 msonyl-6n.exe 27->39         started        93 Tries to detect virtualization through RDTSC time measurements 29->93 signatures15 process16 file17 55 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->55 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 31->67 41 conhost.exe 31->41         started        43 conhost.exe 35->43         started        69 Modifies the context of a thread in another process (thread injection) 37->69 71 Maps a DLL or memory area into another process 37->71 73 Sample uses process hollowing technique 37->73 signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 08:37:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=csvzvrpskryf2jf7ikwcckbhysxl433exi5jgmoiyfj32gazkfja._file
Verdict:
malicious
Similar samples:
16b59963cf5398fe9d50d18723bf7b78073a6fd4d1dfd3072b45b8852ead2d58
FormBook
1800678ba5a47f5492bd8ba441fc37c2119bf057f0856b5d32a6b066f2ae5c27
FormBook
2867fc0da53d97c9ad3291cffd683c48417f47431b36e2101c11a29ee3ae1e87
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019
FormBook
ac0df53e11fe25d8523b781869fc8dbb6c94ce98c3c68a3e25142aa07f583035
FormBook
b3a1b2c34631ea7174675f09e243ec00136cf9b7f585d97d1a85539ee7f279a3
FormBook
b64442a995a9b13bc92c58cb492ba2ca7a5c8d3a21ac26c6cda19faa42796ceb
FormBook
+ 5'616 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-hd8lmxn3jx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

13c8b6d0780c5b2ad8141aa8ab1247e4

FormBook

Executable exe 14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152

(this sample)

  
Dropped by
MD5 13c8b6d0780c5b2ad8141aa8ab1247e4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26556/

Comments