MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501
SHA3-384 hash: c33e71a60c4c9275277e3df65391f2a3988b52bc001f7de3ca538717a2eb2a4259541fa555aa1a8fd5b59e8fd7b60330
SHA1 hash: 5dbc7d12096ff11d9dd76f23032adc6f94d72cf7
MD5 hash: 1c519feaecfa913fb9431729d2981cd3
humanhash: twenty-violet-neptune-king
File name:PO-4093021b.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:466'432 bytes
First seen:2020-07-21 06:34:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:chh95s2HLSyRw6TByocRzLoIrLkMTMtMnxauuo4O6kxWujKZJH:qTwrFdn37eoeTmsH
Threatray 5'217 similar samples on MalwareBazaar
TLSH BCA47B00D7F84ADAE3BA57BDE464004087B1B51AA7EAE75D5B90F0ED1862761CB13F23
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: Cloud.highlightlogin.com
Sending IP: 68.169.59.5
From: Joakim Kim <J.kim@jetairwerks.com>
Subject: Re: Purchase Order PO-4093021b
Attachment: PO-4093021b.z (contains "PO-4093021b.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29711/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392517
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248449 Sample: PO-4093021b.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 55 www.laurenlawson2.com 2->55 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 5 other signatures 2->75 11 PO-4093021b.exe 5 2->11         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\PO-4093021b.exe.log, ASCII 11->51 dropped 93 Tries to detect virtualization through RDTSC time measurements 11->93 15 PO-4093021b.exe 11->15         started        signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 Queues an APC in another process (thread injection) 15->101 18 explorer.exe 1 6 15->18 injected process9 dnsIp10 57 www.domaky.com 162.213.250.91, 49724, 80 NAMECHEAP-NETUS United States 18->57 59 www.thespartanworkoutplan.com 18->59 43 C:\Users\user\AppData\...\_6qdjltv4n0.exe, PE32 18->43 dropped 77 System process connects to network (likely due to code injection or exploit) 18->77 79 Benign windows process drops PE files 18->79 23 netsh.exe 1 19 18->23         started        27 _6qdjltv4n0.exe 4 18->27         started        29 wlanext.exe 18->29         started        file11 signatures12 process13 file14 45 C:\Users\user\AppData\...\-06logrv.ini, data 23->45 dropped 47 C:\Users\user\AppData\...\-06logri.ini, data 23->47 dropped 49 C:\Users\user\AppData\...\-06logrf.ini, data 23->49 dropped 81 Detected FormBook malware 23->81 83 Tries to steal Mail credentials (via file access) 23->83 85 Tries to harvest and steal browser information (history, passwords, etc) 23->85 91 2 other signatures 23->91 31 cmd.exe 2 23->31         started        35 cmd.exe 1 23->35         started        87 Injects a PE file into a foreign processes 27->87 37 _6qdjltv4n0.exe 27->37         started        89 Tries to detect virtualization through RDTSC time measurements 29->89 signatures15 process16 file17 53 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->53 dropped 61 Tries to harvest and steal browser information (history, passwords, etc) 31->61 39 conhost.exe 31->39         started        41 conhost.exe 35->41         started        63 Modifies the context of a thread in another process (thread injection) 37->63 65 Maps a DLL or memory area into another process 37->65 67 Sample uses process hollowing technique 37->67 signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 06:36:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khj4wz66ionmukauvzpnuvw4omh4lehnonj2xjd75pcfdr2a6uaq._file
Verdict:
malicious
Similar samples:
0d567b16454b8c3be5e7dbc796bf7049c0eb18ba9a625d6b5f45eff7202aaf70
FormBook
165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
FormBook
22f4207de77f987b6791843539e25e05ff3f6c010e805330210399e23c323b87
FormBook
8509ca4c5f81525eb6f300294703c9c66af0369374bc064ac024c9dae62c7092
FormBook
b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f
FormBook
c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf
FormBook
c3aa64f063330b257fdd6f3d0dd8479b3a4877140b771b4ccf3cae4e10ffe4e9
FormBook
ca3ab25a8c3213aa08113b09cc4b60df1d2c440aeb0e02c1e3bd192a57f86208
FormBook
d6330004986cb2968200bad58cb3f1135e2383d9bdf6894feff0f28f952f4c2b
FormBook
fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55
FormBook
+ 5'207 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-j39hr8zyex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z a2d859a5da2aab82c016316b7ac31bad83af5392275e46e71c0476f8651f3f7b

FormBook

Executable exe 51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501

(this sample)

  
Dropped by
MD5 01426264bc4f9f84d1357bfc0898ad2f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a2d859a5da2aab82c016316b7ac31bad83af5392275e46e71c0476f8651f3f7b
Cape
Cape
https://www.capesandbox.com/analysis/29711/

Comments