MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733
SHA3-384 hash:	f55fd96a8cb518bfac447f274c2ba8b55b4986e8e8ddb5873ea08d2b57ef09ca95daa379551d4b180dcb8b77d18fc91d
SHA1 hash:	ecd7fe7ccbb1fcbd57bce88beccb16100acc9710
MD5 hash:	e3b048a1e18470f7c6b854933d41599c
humanhash:	double-hamper-fifteen-twelve
File name:	13000003150.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	425'984 bytes
First seen:	2020-08-05 15:36:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:mP3SLT2KVXztSmZuhAYlH5ttHOAvFgrpiA:LT2KVj8mZu2YlH5fvqQA
Threatray	5'352 similar samples on MalwareBazaar
TLSH	F894E044338D6B66D9FC5FF8425C348003F9BE67AE51E7655E8135FA1273B80C2A0AA7
Reporter	abuse_ch
Tags:	DHL exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: dhl.com
Sending IP: 37.49.224.193
From: Noorul Hudha Jiavudeen (DHL) <norulhudha@dhl.com>
Subject: DHL OVERDUE NOTICE - 1300003150 berberimports.com
Attachment: 13000003150.zip (contains "13000003150.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/39770/

Detection(s):

SecuriteInfo.com.Generic.mg.e3b048a1e18470f7.32345.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/411542

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Svchost Process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-05 15:38:05 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lrwqaw5xxudfgqnugk7wujyrpr3bcxqyvyip2imqm5m5axif64zq._file

Verdict:

malicious

FormBook

506381110aba86052e5ddfa191dffe2e533c8be5cd6f7104b96ba642aa038fed

FormBook

635411fb8a81c1232977130d52f6643995799475f35d4d3ecf2c0b74c307c876

FormBook

6a07e270c189e9059526fc2570c7e4039f1140115e2f8544bba2b6f5923ac2ce

FormBook

7890ba83f1cbdd2e461231b4862c15ed80300d361715fecece651094de62bd85

FormBook

7abf73f6d63535a3770a681960124ee32f77d0305cfb82e80da13301829d5b25

FormBook

9047151fe524a34dffeacd46eba66b4b0a87beb7f3e513ba8e5c6ca367ccc505

FormBook

b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5

FormBook

da418cd645143899691fa8b036073aaa5320a1d6c855699494f4b9b2419fb12e

FormBook

e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de

FormBook

+ 5'342 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat evasion trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200805-wgg4k7g84n/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run key to start application

Reads user/profile data of web browsers

Deletes itself

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip ea91f58446c0baa20f9f4378876319a977d801e2b4870e9ae1f401fba1c495b9

FormBook

exe 5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733

(this sample)

Dropped by

MD5 c838c9f74f7272e146fb2f2c57926023

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/39770/

Dropped by

SHA256 ea91f58446c0baa20f9f4378876319a977d801e2b4870e9ae1f401fba1c495b9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample