MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3
SHA3-384 hash: 8f42dbb14be46447d454394eb1f3e65901419fdad891249e33a75d5488c225ba3c7542378436f88ffda998294aeffa49
SHA1 hash: adf0aaf83b186fc9877c5632d66e11240db90f23
MD5 hash: 24e578762b065d2df269dbe5b25a725c
humanhash: purple-moon-missouri-michigan
File name:pjhjuc.jpg
Download: download sample
Signature Formbook
File size:876'544 bytes
First seen:2020-07-31 11:12:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd44fc7474cd1f02fae5c94314314eb4
ssdeep 12288:1esfUazLqCwtZKGdotXPk0XvuZFuj905RzZZaGkzlDajl9oZncIq0lCmwCZRnqy3:1zsEQD2Pk60A8NfmxigOIFF7T7
TLSH 98157C22BEDC4432C3231A788F5B566C5936BD533935AA8A6BF52C48DF397807835393
Reporter @abuse_ch
Tags:exe FormBook


Twitter
@abuse_ch
Malspam distributing Formbook:

HELO: akhaten.nordnet.ws
Sending IP: 144.76.106.247
From: zhouliywang009@yahoo.com <zhouliywang009@yahoo.com>
Subject: PO 17774
Attachment: PO 17774.xls

FormBook payload URL:
https://a.uguu.se/pjhjuc.jpg

Intelligence


File Origin
# of uploads :
1
# of downloads :
33
Origin country :
CH CH
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255322 Sample: pjhjuc.jpg Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 34 www.scottwhit.com 2->34 36 www.hnyadl.com 2->36 38 3 other IPs or domains 2->38 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected FormBook 2->44 46 Machine Learning detection for sample 2->46 11 pjhjuc.exe 2->11         started        signatures3 process4 signatures5 56 Detected unpacking (changes PE section rights) 11->56 58 Maps a DLL or memory area into another process 11->58 60 Tries to detect virtualization through RDTSC time measurements 11->60 62 Contains functionality to detect sleep reduction / modifications 11->62 14 pjhjuc.exe 11->14         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 explorer.exe 1 14->17 injected process8 dnsIp9 28 xn--oy2b11lymexwcbzy.com 183.111.174.79, 49738, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 17->28 30 www.massvp.com 39.108.57.226, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 17->30 32 5 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 wlanext.exe 1 12 17->21         started        signatures10 process11 signatures12 48 Tries to steal Mail credentials (via file access) 21->48 50 Tries to harvest and steal browser information (history, passwords, etc) 21->50 52 Modifies the context of a thread in another process (thread injection) 21->52 54 2 other signatures 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 11:14:07 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
rat spyware evasion trojan stealer family:formbook persistence
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Executes dropped EXE
Formbook Payload
Formbook
Threat name:
Kryptik
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3

(this sample)

Comments