MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8
SHA3-384 hash: accc52d36ed66b48a2bcbc019f0b3f6fae8f00e4592c56096b7351a464c4c53fb40acaa792aeb3a4805ca95dcedbbb02
SHA1 hash: ba317aa78c6efd8e763f7b7a19c858724c6f2f1d
MD5 hash: 8a26d6812aece27f98e9985488d457b0
humanhash: freddie-tango-september-green
File name:Purchase order-77.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:454'144 bytes
First seen:2020-07-07 12:44:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:dMvByE1k4j2XSiFlXd0Y4SaXXV/8g/6rxdNHtiD5ZCVXF1OU+BHtCOHs6tkuTHMs:zyU+xBHs8MvB
Threatray 5'364 similar samples on MalwareBazaar
TLSH 53A49C7132B5AF8AC93A8BF5655424005FB4296F727DD3286DC130CB12EAF444AA5FB3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: ngay24.com.localdomain
Sending IP: 45.127.62.185
From: Gustav Ernstmeier GmbH <merl@britt.gq>
Subject: Order Confirmation no. 951S2, Customer order no. 77
Attachment: Purchase order-77.pdf.rar (contains "Purchase order-77.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22266/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching the process to change network settings
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 12:46:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7dmvsoxkrydmfmlyovixydpfjv6k7vlyqdkx45dtqwkznpucc4a._file
Verdict:
malicious
Similar samples:
4cc50598ab30ac06a20ce6a6a56deedb59ecb519a814ac791b194f49b63a7daa
FormBook
52e01cac4f5319a7d1177aae77861b4ad8f77b26581d089e948344d0e608b80b
FormBook
8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7
FormBook
9c7b335e031c3c2fde1e7d75cbe08bd0951b0cb8a327fa4bd3e54c4c59d32936
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef
FormBook
b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4
FormBook
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
FormBook
d4c2c7795496056ece8e0de136ae63b316508f15bfa28582ceafbb190abfd790
FormBook
da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d
FormBook
+ 5'354 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200707-bxh2j179lx/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar a6c8ea9b803a874d6edf0da26459d0589d6c7646c5455c16450e63439a5b188e

FormBook

Executable exe 4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8

(this sample)

  
Dropped by
MD5 78818b1a9753880e73fccd955ad74107
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a6c8ea9b803a874d6edf0da26459d0589d6c7646c5455c16450e63439a5b188e
Cape
Cape
https://www.capesandbox.com/analysis/22266/

Comments