MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1
SHA3-384 hash: a85ce09e3165eb5a62ce68c1a09bd380d12061f2e8ac020ea8e9164bf531eef8251c0415a98b17b69bef02d45dc25e0c
SHA1 hash: 3e85abf112dbe5d5cb3b36f82cb5e5aba4f54757
MD5 hash: 528803eb79a155fc433c390a194ae344
humanhash: winner-lemon-lion-table
File name:shipping documents, INV+BL.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:440'320 bytes
First seen:2020-07-31 05:53:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fHuZEaQbKfYBAfUgBJ1bV1VhdkgMHSdIx5ROGhAgip1mi:fHu6aQbsfDBJ15hy9HH7OZp
Threatray 5'104 similar samples on MalwareBazaar
TLSH 4494DF9CB0DA641AF45531BE9FF982ABCEA6F56F2283412B12791487807D74C2EC1F71
Reporter abuse_ch
Tags:DHL exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dhl.com
Sending IP: 37.49.224.193
From: DHL Express Service <no-reply@dhl.com>
Subject: DHL Shipment Arrival Notification victim-email
Attachment: shipping documents, INV+BL.zip (contains "shipping documents, INV+BL.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35789/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/404507
Signature
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 254482 Sample: shipping documents, INV+BL.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 62 www.frantac.com 2->62 64 g.msn.com 2->64 66 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->66 74 Malicious sample detected (through community Yara rule) 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Yara detected AntiVM_3 2->78 80 10 other signatures 2->80 11 shipping documents, INV+BL.exe 7 2->11         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\&startupname&.exe, PE32 11->50 dropped 52 C:\Users\user\AppData\Local\...\tmp5AD7.tmp, XML 11->52 dropped 54 C:\...\&startupname&.exe:Zone.Identifier, ASCII 11->54 dropped 56 C:\...\shipping documents, INV+BL.exe.log, ASCII 11->56 dropped 92 Injects a PE file into a foreign processes 11->92 15 shipping documents, INV+BL.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 106 Modifies the context of a thread in another process (thread injection) 15->106 108 Maps a DLL or memory area into another process 15->108 110 Sample uses process hollowing technique 15->110 112 Queues an APC in another process (thread injection) 15->112 20 explorer.exe 3 6 15->20 injected 25 conhost.exe 18->25         started        process9 dnsIp10 68 www.regulars7.info 162.0.224.251, 49735, 80 NAMECHEAP-NETUS Canada 20->68 70 www.candycrushsaga.cloud 20->70 72 192.168.2.1 unknown unknown 20->72 48 C:\Users\user\AppData\...\0j-dq2kdvnq8.exe, PE32 20->48 dropped 82 System process connects to network (likely due to code injection or exploit) 20->82 84 Benign windows process drops PE files 20->84 27 msdt.exe 1 17 20->27         started        31 0j-dq2kdvnq8.exe 3 20->31         started        33 0j-dq2kdvnq8.exe 2 20->33         started        35 0j-dq2kdvnq8.exe 2 20->35         started        file11 signatures12 process13 file14 58 C:\Users\user\AppData\...\19-logrv.ini, data 27->58 dropped 60 C:\Users\user\AppData\...\19-logri.ini, data 27->60 dropped 94 Detected FormBook malware 27->94 96 Tries to steal Mail credentials (via file access) 27->96 98 Tries to harvest and steal browser information (history, passwords, etc) 27->98 104 3 other signatures 27->104 37 cmd.exe 1 27->37         started        100 Injects a PE file into a foreign processes 31->100 39 0j-dq2kdvnq8.exe 31->39         started        102 Writes to foreign memory regions 33->102 42 0j-dq2kdvnq8.exe 35->42         started        44 0j-dq2kdvnq8.exe 35->44         started        signatures15 process16 signatures17 46 conhost.exe 37->46         started        86 Modifies the context of a thread in another process (thread injection) 39->86 88 Maps a DLL or memory area into another process 39->88 90 Sample uses process hollowing technique 39->90 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 05:55:08 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lylghkexyzcgbvup35uernr7lclibz27jwjvewfhqyvz2h7wc6yq._file
Verdict:
malicious
Similar samples:
169e90fc957c42bef2af2bc472799472af795ceeb2bd945e633d5f589e7e6f56
FormBook
20e86bcf707783ca27ecdb1cfc079fa1ce0462b1bb4ae6538bea061851720927
FormBook
506381110aba86052e5ddfa191dffe2e533c8be5cd6f7104b96ba642aa038fed
FormBook
5c6d005bb7bd065341b432bf6a27117c76115e18ae10fd21906759d05d05f733
FormBook
635411fb8a81c1232977130d52f6643995799475f35d4d3ecf2c0b74c307c876
FormBook
7890ba83f1cbdd2e461231b4862c15ed80300d361715fecece651094de62bd85
FormBook
7abf73f6d63535a3770a681960124ee32f77d0305cfb82e80da13301829d5b25
FormBook
b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5
FormBook
da418cd645143899691fa8b036073aaa5320a1d6c855699494f4b9b2419fb12e
FormBook
e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de
FormBook
+ 5'094 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200731-1h58mdsyea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819

FormBook

Executable exe 5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/35789/
  
Dropped by
MD5 d921a212c9cd066df391374b26304466
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819

Comments