MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e58111450129327ec78aca888dade3083b188f92d21934a2c1104a5b5c0a9f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e58111450129327ec78aca888dade3083b188f92d21934a2c1104a5b5c0a9f3
SHA3-384 hash: ba2c450f017607b0c38f45ee562c3e43c19935ba4cd6c9009fdb7dd036524dc0faf1951d35c020902da45d7e7db153cc
SHA1 hash: ccd35b850c45abc3a8142c1f36c1e3c283f516d7
MD5 hash: 4b6dbebda46381a3a9062e690102669f
humanhash: muppet-connecticut-music-princess
File name:CREDIT NOTE.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:415'744 bytes
First seen:2020-07-22 08:34:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:vyIHr2t9fTPwUhPUm2GhNAr/lvlfL50rRxaA3Gd6nOeqXmxBT0Ytuj42M:vNHr2t3hPUm2iNSv50rfaGg+emxjO
Threatray 5'200 similar samples on MalwareBazaar
TLSH C394CF10EBB80BE5DB5947F9E0610650AB78791E67EAD70E2B91F1DC0832B809717F27
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dongsonvina.co
Sending IP: 111.90.145.114
From: Jennifer Smith <jennifer.smith@hysic.co>
Subject: RE: AW: Order sheet/credit note
Attachment: CREDIT NOTE.rar (contains "CREDIT NOTE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30941/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394701
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249756 Sample: CREDIT NOTE.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 55 www.mljxb.com 2->55 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 69 5 other signatures 2->69 11 CREDIT NOTE.exe 5 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\wbnVxBwJkOpRmW.exe, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmpCC5E.tmp, XML 11->51 dropped 53 C:\Users\user\AppData\...\CREDIT NOTE.exe.log, ASCII 11->53 dropped 14 CREDIT NOTE.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 91 Modifies the context of a thread in another process (thread injection) 14->91 93 Maps a DLL or memory area into another process 14->93 95 Sample uses process hollowing technique 14->95 97 Queues an APC in another process (thread injection) 14->97 19 explorer.exe 1 6 14->19 injected 24 conhost.exe 17->24         started        process8 dnsIp9 57 japanaddiction.com 124.248.158.131, 49712, 80 KIRKAGOYAJAPANIncJP Japan 19->57 59 www.jinle8.com 19->59 61 2 other IPs or domains 19->61 41 C:\Users\user\AppData\...\audiodgyf1pyxz.exe, PE32 19->41 dropped 77 System process connects to network (likely due to code injection or exploit) 19->77 79 Benign windows process drops PE files 19->79 26 explorer.exe 1 18 19->26         started        30 audiodgyf1pyxz.exe 1 19->30         started        32 WWAHost.exe 19->32         started        file10 signatures11 process12 file13 43 C:\Users\user\AppData\...\06Llogrv.ini, data 26->43 dropped 45 C:\Users\user\AppData\...\06Llogri.ini, data 26->45 dropped 47 C:\Users\user\AppData\...\06Llogrf.ini, data 26->47 dropped 81 Detected FormBook malware 26->81 83 Tries to steal Mail credentials (via file access) 26->83 85 Tries to harvest and steal browser information (history, passwords, etc) 26->85 89 2 other signatures 26->89 34 cmd.exe 1 26->34         started        36 audiodgyf1pyxz.exe 30->36         started        87 Tries to detect virtualization through RDTSC time measurements 32->87 signatures14 process15 signatures16 39 conhost.exe 34->39         started        71 Modifies the context of a thread in another process (thread injection) 36->71 73 Maps a DLL or memory area into another process 36->73 75 Sample uses process hollowing technique 36->75 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e58111450129327ec78aca888dade3083b188f92d21934a2c1104a5b5c0a9f3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:36:07 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzmbcfcqckjsp3dyvsuirww6gcb3dchzfuqzgsrmcecklnoavhzq._file
Verdict:
malicious
Similar samples:
169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56
FormBook
218ab0970b729fe790515e64e9eab88b22893c7cac5594bd6d81b16e2245dcb4
FormBook
5180b943e9f342591b7b79d7a68a2509e6877948f35f5f4436a5fd8353cfac6c
FormBook
590e4c9fe05f78e5052d88a6272cce363fb8ca63906ea8d2276f0a142ebe710e
FormBook
64ff498497ee75879455fa623913eed07fae30f5e357bb247bedcf76e7d4e04f
FormBook
7446d879b612cbb16df459967a8b8e9149d2601fe6e62bcf1fe3f3a58ad7d771
FormBook
8058effea9cbffe67d3cc69221eda22862586eecdb7c9409b4f9fd6eab6ea04f
FormBook
80d1c0d6566bacc1b75145357e11d066c3fc49877afc5155eef788f17ee73471
FormBook
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
FormBook
97699d9ff91d55ce4a2088d750783a4838a34e99399b3a4501b35c46d8797f08
FormBook
+ 5'190 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200722-3y9nwkfvhs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e58111450129327ec78aca888dade3083b188f92d21934a2c1104a5b5c0a9f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 452b8b19795a4edf08bf56f7c446d1af5963b520f4d6d93776ef7fe935c2c471

FormBook

Executable exe 3e58111450129327ec78aca888dade3083b188f92d21934a2c1104a5b5c0a9f3

(this sample)

  
Dropped by
MD5 980bd2170ed50afe7c10040a1e3ede69
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30941/
  
Dropped by
SHA256 452b8b19795a4edf08bf56f7c446d1af5963b520f4d6d93776ef7fe935c2c471

Comments