MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516af190e411859eafe3334997490013f00b0a6199ef034a584df640a3993440. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 516af190e411859eafe3334997490013f00b0a6199ef034a584df640a3993440
SHA3-384 hash: adce51f7e9384965695455a4bdf81a2c155ea2f06069be51cb1338767b61f546ee0e0312ffb443ad56fe7ad7fdda07c0
SHA1 hash: 3648fdde6cb192dcabde3cb7f17f58bf454ec0e1
MD5 hash: 5ac4e04aca5a3bfaf13c7c5d429cc017
humanhash: purple-xray-pip-victor
File name:OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com
Download: download sample
Signature FormBook
Create hunting rule
File size:492'032 bytes
First seen:2020-07-07 09:18:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Jsm75fFmAUF1QU+BHtCOFBcMmkDpnCjNaRrMMi:ZU+xBncMmkDIZa6p
Threatray 5'584 similar samples on MalwareBazaar
TLSH D1A48D753221AED7CA390AF0800429817FF4666B396EE3E9BCC270C661C5FD09B565B7
Reporter abuse_ch
Tags:com FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: emiratespalace.ae
Sending IP: 193.142.58.27
From: saiju_antony@emiratespalace.ae
Reply-To: saiju_antony@emiratespalace.ae<donc2018@bk.ru>
Subject: Fw: Emialling: NEW OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC
Attachment: OFFICIAL PAYMENT MODE DURING COVID-19 PANDEMIC-2020.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22134/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching the process to change network settings
Launching cmd.exe command interpreter
Possible injection to a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/384103
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 244204 Sample: tqwCcsNK1T.exe Startdate: 08/07/2020 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 12 other signatures 2->71 10 tqwCcsNK1T.exe 7 2->10         started        process3 file4 45 C:\Users\user\AppData\...\cwylpghoIDGGCx.exe, PE32 10->45 dropped 47 C:\...\cwylpghoIDGGCx.exe:Zone.Identifier, ASCII 10->47 dropped 49 C:\Users\user\AppData\Local\...\tmp8C8C.tmp, XML 10->49 dropped 51 C:\Users\user\AppData\...\tqwCcsNK1T.exe.log, ASCII 10->51 dropped 83 Tries to detect virtualization through RDTSC time measurements 10->83 85 Injects a PE file into a foreign processes 10->85 14 tqwCcsNK1T.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 tqwCcsNK1T.exe 10->19         started        signatures5 process6 signatures7 97 Modifies the context of a thread in another process (thread injection) 14->97 99 Maps a DLL or memory area into another process 14->99 101 Sample uses process hollowing technique 14->101 103 Queues an APC in another process (thread injection) 14->103 21 explorer.exe 1 6 14->21 injected 26 conhost.exe 17->26         started        process8 dnsIp9 59 www.daberhashery.com 74.220.199.6, 49723, 49724, 49725 UNIFIEDLAYER-AS-1US United States 21->59 61 www.buenos-dias-tapas.com 213.186.33.5, 49716, 80 OVHFR France 21->61 63 4 other IPs or domains 21->63 43 C:\Users\user\AppData\...\etylulbpxpl67.exe, PE32 21->43 dropped 79 System process connects to network (likely due to code injection or exploit) 21->79 81 Benign windows process drops PE files 21->81 28 systray.exe 1 18 21->28         started        32 etylulbpxpl67.exe 3 21->32         started        34 ipconfig.exe 21->34         started        file10 signatures11 process12 file13 53 C:\Users\user\AppData\...\9-2logrv.ini, data 28->53 dropped 55 C:\Users\user\AppData\...\9-2logri.ini, data 28->55 dropped 57 C:\Users\user\AppData\...\9-2logrf.ini, data 28->57 dropped 87 Detected FormBook malware 28->87 89 Tries to steal Mail credentials (via file access) 28->89 91 Tries to harvest and steal browser information (history, passwords, etc) 28->91 95 2 other signatures 28->95 36 cmd.exe 1 28->36         started        38 etylulbpxpl67.exe 32->38         started        93 Tries to detect virtualization through RDTSC time measurements 34->93 signatures14 process15 signatures16 41 conhost.exe 36->41         started        73 Modifies the context of a thread in another process (thread injection) 38->73 75 Maps a DLL or memory area into another process 38->75 77 Sample uses process hollowing technique 38->77 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/516af190e411859eafe3334997490013f00b0a6199ef034a584df640a3993440/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 23:39:39 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfvpdehecgcz5l7dgnezosiacpyawctbthxqgssyjx3ebi4zgraa._file
Verdict:
malicious
Similar samples:
192896dbc7744f51c63044f4bf8a0fd260cc73ddcc84200161ce45b81c7e9e50
FormBook
50823ae6e2e1cdf7aeb3fa1e9398ef0f5f7c244d22e3a1fce261aa0836bd02bd
FormBook
61c7750e724cbe16f38b96cb8118daac29977ce677bade5f7c215a6b97b16d84
FormBook
68cc2dbe766234de0ce7f8853b2526bc8fa7194c106f0cecd55683e297d3764f
FormBook
7369dcfec21741f712f75662e29752b6a55fcacd1fbf76b9948d40b82e89b9a0
FormBook
792ee40918c1cb2ebf202212c5f5bf3f1c945f18e60a93ebca0cd3a9f6bc77cf
FormBook
b29480fdd53b2502fa6041e507a156f1472b8ad21a2458e9cfe49133e762e97d
FormBook
bc58f26c79cc8330e384f602bd129a25103576a1520c5fbc2c27abef784ae1de
FormBook
e50f294da86ca74a28ab00ef44e48d7c0374f4a33e2ed436f9a4ed4e6a01e9b9
FormBook
f9fd67b28fd985eb062137c47d008ee299099dc5adf63168470603ba635a286d
FormBook
+ 5'574 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200707-b9gv3l6has/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe 516af190e411859eafe3334997490013f00b0a6199ef034a584df640a3993440

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22134/

Comments