MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60c5ac0b248ca937816d4ec153cfe39bd50f21668e32aa5cd059c1a1aae1315c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60c5ac0b248ca937816d4ec153cfe39bd50f21668e32aa5cd059c1a1aae1315c
SHA3-384 hash: 5dac0a090194bdcea68eea7701f9d9b6bd0991aa39f65aad319a559596823cbad8dfa3c1c63c281013234447a14a6a8c
SHA1 hash: 159b50c4dc2b4ec565fd18e7f2e7635b3d7bcaba
MD5 hash: 8e194957f6ba36254ef057d6098e8a55
humanhash: don-may-sweet-south
File name:uzo.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:461'824 bytes
First seen:2020-08-14 11:14:39 UTC
Last seen:2020-08-14 13:45:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:f7M1vex8RxLfaipREl8GA0cpbYnL0EPp2+UJ:fYEx8Rxj/u8GA0gYnx2+4
Threatray 3'493 similar samples on MalwareBazaar
TLSH 6AA4BE313A5C9F76E03DA77C4224115003F2A526D733EE49FEB2869A4E61FE1463BB16
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: expolanka.com
Sending IP: 103.114.106.11
From: Aditha Rambukwella <adithar@expolanka.com>
Subject: DC 3004 COPY DOCS
Attachment: DC 3004 COPY DOCS.xlsx

Formbook payload URL:
http://103.114.106.11/uzo.exe

Formbook C2:
http://www.flekcht.com/usc/

Intelligence

File Origin
# of uploads :
3
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45870/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.50543.10642.20560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/429583
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 267266 Sample: uzo.exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 53 www.fortram.site 2->53 61 Malicious sample detected (through community Yara rule) 2->61 63 Yara detected AntiVM_3 2->63 65 Yara detected FormBook 2->65 67 4 other signatures 2->67 11 uzo.exe 3 2->11         started        signatures3 process4 file5 51 C:\Users\user\AppData\Local\...\uzo.exe.log, ASCII 11->51 dropped 81 Writes to foreign memory regions 11->81 83 Allocates memory in foreign processes 11->83 85 Injects a PE file into a foreign processes 11->85 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        signatures6 process7 signatures8 87 Modifies the context of a thread in another process (thread injection) 15->87 89 Maps a DLL or memory area into another process 15->89 91 Sample uses process hollowing technique 15->91 93 Queues an APC in another process (thread injection) 15->93 20 explorer.exe 2 6 15->20 injected 95 Tries to detect virtualization through RDTSC time measurements 18->95 process9 dnsIp10 55 jumainkaperutours.com 51.81.135.80, 49740, 49741, 49742 OVHFR United States 20->55 57 www.pourboirela.com 20->57 59 2 other IPs or domains 20->59 45 C:\Users\user\AppData\Local\...\tjc7nrtqh.exe, PE32 20->45 dropped 69 System process connects to network (likely due to code injection or exploit) 20->69 71 Benign windows process drops PE files 20->71 25 cscript.exe 1 17 20->25         started        29 tjc7nrtqh.exe 4 20->29         started        31 tjc7nrtqh.exe 3 20->31         started        33 tjc7nrtqh.exe 3 20->33         started        file11 signatures12 process13 file14 47 C:\Users\user\AppData\...\-13logrv.ini, data 25->47 dropped 49 C:\Users\user\AppData\...\-13logri.ini, data 25->49 dropped 73 Detected FormBook malware 25->73 75 Tries to steal Mail credentials (via file access) 25->75 77 Tries to harvest and steal browser information (history, passwords, etc) 25->77 79 3 other signatures 25->79 35 cmd.exe 1 25->35         started        37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        41 conhost.exe 33->41         started        signatures15 process16 process17 43 conhost.exe 35->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60c5ac0b248ca937816d4ec153cfe39bd50f21668e32aa5cd059c1a1aae1315c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 11:16:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mdc2yczersutpalnj3avht7dtpkq6ilgryzkuxgqlha2dkxbgfoa._file
Verdict:
malicious
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
25e2619309515f2a7953682e8d4ea6d13b9c7030159aefbb8521d4316a58c19d
FormBook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
FormBook
5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff
FormBook
5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f
FormBook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
FormBook
86c28512dbc7ff79104d2c3bd9e81dcd493016f61316890206d3dcfeee47a244
FormBook
9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144
FormBook
e4a2831ae3ee0aae7fa80df415ccb3774ef85aa9ca7f9f41e18bd603cd72c7bc
FormBook
+ 3'483 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200814-6jd4h8gz9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/usc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60c5ac0b248ca937816d4ec153cfe39bd50f21668e32aa5cd059c1a1aae1315c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx 9df93e80c81334711777d6650d1a1ee246003ec4919e732366ebd93eda77a174

FormBook

Executable exe 60c5ac0b248ca937816d4ec153cfe39bd50f21668e32aa5cd059c1a1aae1315c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/433110/
  
Dropped by
MD5 d705c1531cbd8f552035cd81524e2a70
  
Dropped by
SHA256 9df93e80c81334711777d6650d1a1ee246003ec4919e732366ebd93eda77a174
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/45870/

Comments