MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153
SHA3-384 hash: d474a9418b0df6c28a6861a8abb199fab7033962d91eb7291aff89d1568290c94aac9ac617f8d25ef93f82c8d23972df
SHA1 hash: dcdb196482455269ad8a7aa34fc51e6ce9b0a2d3
MD5 hash: b954219ab84d14e4efbeb8f0b629ad25
humanhash: lake-minnesota-orange-mountain
File name:Scan 2072020 pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:775'680 bytes
First seen:2020-07-20 09:35:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 947a363cee796918c4dd5f0352950426 (5 x AgentTesla, 5 x Loki, 5 x MassLogger)
ssdeep 12288:ypxEDrQY5EvoFzhlmTS1i4jkkg52CKRC8fZ9G6z10lsYbu01:ia8voVOIObYfZo/6YbP
Threatray 5'128 similar samples on MalwareBazaar
TLSH BAF4A062E2E04877C1671A3C4D1B67A8A836BE003E2C9D766FF75C4CDF3A64134A5297
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.example.com
Sending IP: 103.133.110.22
From: Vinh Loc - Davico <info@daivietseafoods.com> <admin@motonina.ml>
Subject: Re: SWIFT CONFIRMATION ON NEW ORDER 8/5/2020
Attachment: Scan 2072020 pdf.iso (contains "Scan 2072020 pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28887/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391251
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248002 Sample: Scan 2072020 pdf.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 58 www.royalvegasnodeposit.com 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 8 other signatures 2->66 11 Scan 2072020 pdf.exe 2->11         started        signatures3 process4 signatures5 82 Maps a DLL or memory area into another process 11->82 14 Scan 2072020 pdf.exe 11->14         started        process6 signatures7 84 Modifies the context of a thread in another process (thread injection) 14->84 86 Maps a DLL or memory area into another process 14->86 88 Sample uses process hollowing technique 14->88 90 Queues an APC in another process (thread injection) 14->90 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 52 www.906zy.com 121.37.167.83, 49735, 80 HWCSNETHuaweiCloudServicedatacenterCN China 17->52 54 allamericandreamcafe.info 34.102.136.180, 49739, 49740, 49741 GOOGLEUS United States 17->54 56 3 other IPs or domains 17->56 42 C:\Users\user\AppData\...\exnvfo8adbp.exe, PE32 17->42 dropped 68 System process connects to network (likely due to code injection or exploit) 17->68 70 Benign windows process drops PE files 17->70 22 wscript.exe 1 19 17->22         started        26 exnvfo8adbp.exe 17->26         started        28 cmd.exe 17->28         started        file10 signatures11 process12 file13 44 C:\Users\user\AppData\...\576logrv.ini, data 22->44 dropped 46 C:\Users\user\AppData\...\576logri.ini, data 22->46 dropped 48 C:\Users\user\AppData\...\576logrf.ini, data 22->48 dropped 72 Detected FormBook malware 22->72 74 Tries to steal Mail credentials (via file access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 80 2 other signatures 22->80 30 cmd.exe 2 22->30         started        34 cmd.exe 1 22->34         started        78 Maps a DLL or memory area into another process 26->78 36 exnvfo8adbp.exe 26->36         started        signatures14 process15 file16 50 C:\Users\user\AppData\Local\Temp\DB1, SQLite 30->50 dropped 92 Tries to harvest and steal browser information (history, passwords, etc) 30->92 38 conhost.exe 30->38         started        94 Tries to detect virtualization through RDTSC time measurements 34->94 40 conhost.exe 34->40         started        96 Modifies the context of a thread in another process (thread injection) 36->96 98 Maps a DLL or memory area into another process 36->98 100 Sample uses process hollowing technique 36->100 signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:36:13 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsuiywqv6nxlpmsn7mq6kmmf76thubdwauz6tvdu3vg6jzjtcfjq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be
FormBook
45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f
FormBook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
8c55df1fdc1ac49e2c0a3b5b77bd044d842d2f6e38bd5f782d93853a560140fb
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6
FormBook
+ 5'118 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200720-gnfgg7t9pe/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

iso 0518fe66f4ec2565d35e7124defd88b24507ad5d99fd46c69ce679d9c1f824c0

FormBook

Executable exe 34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153

(this sample)

  
Dropped by
MD5 4e3a73d9b71939ad89c09154d3bf9c72
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0518fe66f4ec2565d35e7124defd88b24507ad5d99fd46c69ce679d9c1f824c0
Cape
Cape
https://www.capesandbox.com/analysis/28887/

Comments