MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1800678ba5a47f5492bd8ba441fc37c2119bf057f0856b5d32a6b066f2ae5c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1800678ba5a47f5492bd8ba441fc37c2119bf057f0856b5d32a6b066f2ae5c27
SHA3-384 hash: 44ce9da4f5a0af9cd0917af44aff291866e5fd8a5590010a25339f3656386a6c786972bbf16fd015545b20813cfbc7ca
SHA1 hash: f3c192cfcaea32b3ed3f430b65c475175411bca1
MD5 hash: 943b2015a550dc8a524f299e86f26316
humanhash: thirteen-fix-jupiter-ink
File name:HN0002332_SWIFT,pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:384'512 bytes
First seen:2020-07-06 11:36:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Tg7SJG7i+n3HAApBz+HVlrSMGxSXLxWtgWO3aitQQD5N:UukPn3VkrGYmgWO3Zv
Threatray 5'230 similar samples on MalwareBazaar
TLSH 4784D0731246BFDAE37D0D78C95413801DB91CBBAB70C949BDC831CA52B6B54DAB8A31
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21559/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Forced shutdown of a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1800678ba5a47f5492bd8ba441fc37c2119bf057f0856b5d32a6b066f2ae5c27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 11:38:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=daagpc5fur7vjev5rosed7bxyiizx4cx6ccwwxjsu2ygn4volqtq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152
FormBook
2867fc0da53d97c9ad3291cffd683c48417f47431b36e2101c11a29ee3ae1e87
FormBook
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
FormBook
4dcaa189e4b595f7c2ea35bf30bcbee49f9f9c2a3bbe16d832a30c8df30c2a88
FormBook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
de5eead1472726c48bab2f8551a161fea3ccd71ee11b4df8e89aa5b9874832a3
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
+ 5'220 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200706-ql4jnnxw6a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Reads user/profile data of web browsers
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 1800678ba5a47f5492bd8ba441fc37c2119bf057f0856b5d32a6b066f2ae5c27

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21559/

Comments