MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf
SHA3-384 hash: 8aa9cc0ccf1249ac8d0f8e7b4578dda2e373fdc26776fcf065470c7f3233ff7a72324eabaf840dee52e148a4526c4e9d
SHA1 hash: eab3d13a818a38fdc9bdf4f5049dcb97bca1477c
MD5 hash: 6f22414b434f8fcbd90efaedd544f67b
humanhash: beryllium-burger-lima-neptune
File name:Invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:264'704 bytes
First seen:2020-06-25 14:23:41 UTC
Last seen:2020-06-25 14:52:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3943eb7af04f89fcf0f01c53fa405be0 (1 x FormBook)
ssdeep 6144:lRfB20Oy/kHDVp/e/OWSrKpwk69+OXn9x:/fhO/jVk/OTmm9d9x
Threatray 3'553 similar samples on MalwareBazaar
TLSH 1744D019A47E8871E016973E8D39DE53CC5BFC1690F61166BAF0F26DBC74294882E3D2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: rendsy.xyz
Sending IP: 165.227.194.49
From: Mhd. Faisal Alnus <office@rendsy.xyz>
Subject: AW:AW:AW:
Attachment: Muhnmet invoice.rar (contains "Invoice.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14402/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 14:23:38 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ey2gfwdfgwlhxxpooxxncxj6a2mufmv4qoiqfpc27vfu5ju2xg7q._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
2ee68069c79304ab2bc383e02c7d9f07ecdc9f91e9680afe381c72715225a89e
FormBook
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
8255284fa792c767fd2464364f12f297fa92a38383d2303d7cf9dcb8b74bdfa5
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb
FormBook
eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1
FormBook
+ 3'543 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200625-3kjvdgh85s/
Behaviour
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
System policy modification
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

eb2aa9e060191ea71e192cbb14ed7e8c

FormBook

Executable exe 263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf

(this sample)

  
Dropped by
MD5 eb2aa9e060191ea71e192cbb14ed7e8c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14402/

Comments