MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5
SHA3-384 hash: e830247244f00f0433bb8dcb5e5cce2dce396a8a69f3966765250cff290e056ec3e8b94dbd62d8f4d079166d069e1cd0
SHA1 hash: d293234fa48901aed1c0f7763ceefe640b83ebda
MD5 hash: ade13e63e8767b76cb036972c773a1af
humanhash: six-march-arizona-asparagus
File name:Toyo Engineering Corporation.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:652'288 bytes
First seen:2020-07-21 06:27:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:qWklhYIl0WSyRw6TB5aumIJfS9uU9NOoIyAc071UvcCUfzvSzRhd0w27N3LcuEpW:DS246rNOcAc071UviqU7N3LcHpkc
Threatray 4'993 similar samples on MalwareBazaar
TLSH C8D49187D374818BEF7507BAD8A98028CAF0A25E32D59A3517C4F194F826660D71FE1F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.megatroncorp.community
Sending IP: 162.241.205.158
From: Nurul Najwa <server@huttprimax.partners>
Reply-To: info-toyo@engineer.com
Subject: Toyo Engineering Corporation // Request For Inquiry // 21.7.2020
Attachment: Toyo Engineering Corporation.zip (contains "Toyo Engineering Corporation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29702/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392495
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248428 Sample: Toyo Engineering Corporation.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 64 www.refingen.com 2->64 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 4 other signatures 2->80 11 Toyo Engineering Corporation.exe 5 2->11         started        signatures3 process4 file5 56 C:\...\Toyo Engineering Corporation.exe.log, ASCII 11->56 dropped 14 Toyo Engineering Corporation.exe 11->14         started        process6 signatures7 96 Modifies the context of a thread in another process (thread injection) 14->96 98 Maps a DLL or memory area into another process 14->98 100 Sample uses process hollowing technique 14->100 102 Queues an APC in another process (thread injection) 14->102 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 58 tz.ue44.com 39.155.231.110, 49733, 80 CMNET-BEIJING-APChinaMobileCommunicaitonsCorporationCN China 17->58 60 www.refingen.com 17->60 62 2 other IPs or domains 17->62 48 C:\Users\user\AppData\...\2d83f5dibxh.exe, PE32 17->48 dropped 82 System process connects to network (likely due to code injection or exploit) 17->82 84 Benign windows process drops PE files 17->84 22 chkdsk.exe 1 19 17->22         started        26 2d83f5dibxh.exe 4 17->26         started        28 control.exe 17->28         started        30 autofmt.exe 17->30         started        file10 signatures11 process12 file13 50 C:\Users\user\AppData\...50P0logrv.ini, data 22->50 dropped 52 C:\Users\user\AppData\...52P0logri.ini, data 22->52 dropped 54 C:\Users\user\AppData\...54P0logrf.ini, data 22->54 dropped 86 Detected FormBook malware 22->86 88 Tries to steal Mail credentials (via file access) 22->88 90 Tries to harvest and steal browser information (history, passwords, etc) 22->90 94 2 other signatures 22->94 32 cmd.exe 2 22->32         started        36 cmd.exe 1 22->36         started        38 2d83f5dibxh.exe 26->38         started        40 2d83f5dibxh.exe 26->40         started        92 Tries to detect virtualization through RDTSC time measurements 28->92 signatures14 process15 file16 46 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->46 dropped 66 Tries to harvest and steal browser information (history, passwords, etc) 32->66 42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        68 Modifies the context of a thread in another process (thread injection) 38->68 70 Maps a DLL or memory area into another process 38->70 72 Sample uses process hollowing technique 38->72 signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 06:29:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebm7cwcssdfbakvchwgzf5dzutajidy2rfl3kitojq3ltmivy7cq._file
Verdict:
malicious
Similar samples:
0725fa234dd7f9bdcbcd0eef96c79017200f5c27676e4126a00c6d33e6601a5a
FormBook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
FormBook
6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4
FormBook
7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1
FormBook
ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671
FormBook
b45fb97506ddaaddd21207b75f9a877fd65fedc6324fc10a7d16381bdef232a1
FormBook
b73caeffe98a9035eefe1465bf9c883f306372f8b4ca2d18973fc18277781363
FormBook
c3aa64f063330b257fdd6f3d0dd8479b3a4877140b771b4ccf3cae4e10ffe4e9
FormBook
cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97
FormBook
ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352
FormBook
+ 4'983 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200721-evs4jkrdsj/
Behaviour
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2059f1585290/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 3cf7a8a268cb2d9d316c8566ca50a6e1a1e8c01951eb654c1535d9f1380f3fe5

FormBook

Executable exe 2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5

(this sample)

  
Dropped by
MD5 1edaca4ba19ce51252590ff8ff01117c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29702/
  
Dropped by
SHA256 3cf7a8a268cb2d9d316c8566ca50a6e1a1e8c01951eb654c1535d9f1380f3fe5

Comments