MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7307a0ff8927e1ec7690e4aaf7fcdf16dbef7455d847536625d833ee709a470c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7307a0ff8927e1ec7690e4aaf7fcdf16dbef7455d847536625d833ee709a470c
SHA3-384 hash: 0b4d1e8edc27937bdbea2ddd67fe83eea7b3323415e48130735f82e36a6565b30ae0a0a0e91478c81e9f980d74af71dc
SHA1 hash: b42f6617035ff805a7b691a09afa1059f08a795e
MD5 hash: 7d776710b448706c85804475b1417765
humanhash: mexico-jig-salami-maine
File name:Group booking confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'056'861 bytes
First seen:2020-08-19 11:33:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:BAOcZeJ0STBxDlzVJjuj5NF7pYiKuo0Gxg539FQZMaBQiOzA:bkOB/SNfpYPuyxw96ZMAN
Threatray 392 similar samples on MalwareBazaar
TLSH 20251202B3C28471E43319325E3A7B11AD7D7D205E34DA2EA7D45ABDEE751C0A634BB2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: franceloc-postfix.filnet.fr
Sending IP: 194.187.193.119
From: Cláudia Diniz <info@wip-hausschutz.de>
Reply-To: finance.booking.com@outlook.com
Subject: GROUP CONFIRMATION
Attachment: Group booking confirmation.rar (contains "Group booking confirmation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48467/
Detection(s):
Win.Dropper.NetWire-9102409-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Sending a UDP request
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Creating a file in the %temp% directory
Adding an access-denied ACE
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/437742
Signature
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271380 Sample: Group booking confirmation.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 80 25 Malicious sample detected (through community Yara rule) 2->25 27 Yara detected FormBook 2->27 29 Yara detected AntiVM autoit script 2->29 31 2 other signatures 2->31 8 Group booking confirmation.exe 10 2->8         started        process3 file4 21 C:\Users\user\AppData\Roaming\...\kljrh.pif, PE32 8->21 dropped 11 kljrh.pif 3 8->11         started        process5 file6 23 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 11->23 dropped 33 Machine Learning detection for dropped file 11->33 35 Writes to foreign memory regions 11->35 15 RegSvcs.exe 11->15         started        17 RegSvcs.exe 11->17         started        signatures7 process8 process9 19 WerFault.exe 15->19         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7307a0ff8927e1ec7690e4aaf7fcdf16dbef7455d847536625d833ee709a470c/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 11:35:07 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2
Formbook
1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4
Formbook
1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923
Formbook
1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166
Formbook
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
Formbook
3a61804bb8302d42eb46c25a884cf50e7e6e383a9a48bfbfb1cfbe78ed2ed389
Formbook
4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f
Formbook
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
Formbook
9d1f32d9806bafd63451a59e1768502f31cf9dc746c9e92f62b978c1ed259497
Formbook
fba31181ed1957e81c452fa1e860414d3a2bd2da470074a32f196f873a37d9ad
Formbook
+ 382 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200819-dqxv5xw1fs/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fex-tracks.com/hx232/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7307a0ff8927e1ec7690e4aaf7fcdf16dbef7455d847536625d833ee709a470c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 28d707e4640428d9e83363aef1f208e3d4631b2fd4974c2aaa25c7e1668f6dd5

Formbook

Executable exe 7307a0ff8927e1ec7690e4aaf7fcdf16dbef7455d847536625d833ee709a470c

(this sample)

  
Dropped by
MD5 a36284882fa48d8b69b17aa805434dd8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48467/
  
Dropped by
SHA256 28d707e4640428d9e83363aef1f208e3d4631b2fd4974c2aaa25c7e1668f6dd5

Comments