MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894
SHA3-384 hash: 3b59b59a3117ca12ed81c4cfc1565224dfbe39380081f389d4bdacbbf626ae213716caccde4d89cdb73c87d932461072
SHA1 hash: 9afbccdb8f8fc05c7581a5b4bc4a188a911c1485
MD5 hash: b0f73de3e6ae50a9bde2c49ef0191b2f
humanhash: mexico-arkansas-venus-carpet
File name:INVOICE06082020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:502'784 bytes
First seen:2020-08-06 06:37:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:GiawcWp4kW8tzqAZm840LFS2nYkrdjZYC9GWa6Crqm27e7+9PHw9sdwz2BnSRsrv:Gi084kW8f0840LTldjZYC9+S7c+JHbn
Threatray 5'134 similar samples on MalwareBazaar
TLSH 4CB48C3052300AA7E6FC52B4840C7144A6F28F595A5AF6D1FDB778C9F2F26B05B2D81B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: slot0.eyrestox.com
Sending IP: 104.168.198.133
From: Zedong <info@topdsht.com>
Reply-To: info@topdsht.com
Subject: RE: Kindly find stamped PO with signature as attached
Attachment: INVOICE06082020.zip (contains "INVOICE06082020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40160/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412273
Signature
Benign windows process drops PE files
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 258386 Sample: INVOICE06082020.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 100 41 www.dt-anesthesia.com 2->41 43 ext-sq.squarespace.com 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Yara detected AntiVM_3 2->53 55 Yara detected FormBook 2->55 57 5 other signatures 2->57 11 INVOICE06082020.exe 3 2->11         started        signatures3 process4 file5 39 C:\Users\user\...\INVOICE06082020.exe.log, ASCII 11->39 dropped 71 Tries to detect virtualization through RDTSC time measurements 11->71 73 Injects a PE file into a foreign processes 11->73 15 INVOICE06082020.exe 11->15         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 Queues an APC in another process (thread injection) 15->81 18 explorer.exe 1 6 15->18 injected process9 dnsIp10 45 www.aheadsman.com 18->45 47 www.265music.com 18->47 49 HDRedirect-LB5-1afb6e2973825a56.elb.us-east-1.amazonaws.com 23.20.239.12, 49743, 80 AMAZON-AESUS United States 18->49 33 C:\Users\user\AppData\...\2do4anzpdbcdlb.exe, PE32 18->33 dropped 59 System process connects to network (likely due to code injection or exploit) 18->59 61 Benign windows process drops PE files 18->61 23 msiexec.exe 18->23         started        27 2do4anzpdbcdlb.exe 18->27         started        file11 signatures12 process13 file14 35 C:\Users\user\AppData\...\5L3logrv.ini, data 23->35 dropped 37 C:\Users\user\AppData\...\5L3logri.ini, data 23->37 dropped 63 Detected FormBook malware 23->63 65 Tries to steal Mail credentials (via file access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 69 3 other signatures 23->69 29 cmd.exe 23->29         started        signatures15 process16 process17 31 conhost.exe 29->31         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 06:39:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=enegau5hpm5tp5zshjv5nfa6ye6tih6fko6laz23i5oo6q4szcka._file
Verdict:
malicious
Similar samples:
07f7b852dc1cd3c5527fef6c09019b723a9e17ddc6b236c16e992784940b7a81
FormBook
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
FormBook
30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75
FormBook
478dce496a9eca179f7503d76fa70a27d85e2e8547b81b5c80fc7433122085c3
FormBook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
FormBook
6feb356faa54c3da8b70b32c044fb85582a5c1752263d3ddb8082c5bc4d417d7
FormBook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
FormBook
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
FormBook
bf694824d6cbf6fba77ce087678b03ee8243a245b4b730eb55fb83e83b8dff8e
FormBook
df2ad4f06e072787902fb0160a7d2dc0d2db3c033ce66ae0f44ab5284e392d15
FormBook
+ 5'124 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200806-62v8ecrx7a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip c83253d8da2a418078f44800a2734d9062c44cae4d8d4d70a158897088bf0269

FormBook

Executable exe 23486053a77b3b37f7323a6bd6941ec13d341fc553bcb0675b475cef4392c894

(this sample)

  
Dropped by
MD5 214ca666f0c4265135cfbf050ab7156d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40160/
  
Dropped by
SHA256 c83253d8da2a418078f44800a2734d9062c44cae4d8d4d70a158897088bf0269

Comments