MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 787e032a02ff81b42fa794cc31a55e149cee73a366fa3980bb8da4d05c511834. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 787e032a02ff81b42fa794cc31a55e149cee73a366fa3980bb8da4d05c511834
SHA3-384 hash: 1cebfb8ccee1a07d50267dce5447a33d872c003160cc9b0da52537a1325897fe6676b8facf7a2b7bd32b287aeccd13d4
SHA1 hash: ca5b1dce81332657b0cce26be4dc8e83f3442a0c
MD5 hash: e8e4b92c8e86c537870da9f455e5f04e
humanhash: uniform-autumn-may-india
File name:New Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:693'248 bytes
First seen:2020-06-12 14:24:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a89812af7e932a04c2b7602f4343fca5 (6 x AgentTesla, 1 x FormBook, 1 x HawkEye)
ssdeep 12288:C4UMzi6Kfzq3lN6UmdingtPxY/whlDWlAS3+Zw9+Td83OLoQ1cmLE/JJhcb:/HtQzHJYngrY/whlK73sw9+R837RD/Jw
Threatray 5'088 similar samples on MalwareBazaar
TLSH 03E4AF62B1F04833C1672A7D9D0BD3B898297E632928D5762FEBDD4C5F39281352A1C7
Reporter abuse_ch
Tags:DHL exe FormBook Outlook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: NAM12-MW2-obe.outbound.protection.outlook.com
Sending IP: 40.92.23.68
From: Postmaster Team <vmangalsingh@hotmail.com>
Subject: ❶✉DHL Intraship Entrant Notice From No: P.O-00126020
Attachment: Shipping Documents.uue (contains "New Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10075/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.GenKryptik.EMFN.19485.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 14:26:07 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pb7agkqc76a3il5hstgddjk6csoo445dm35dtaf3rwsnaxcrda2a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1be61c2f6e006dc35f4d81b2797d967d2a4ff04f854679d334abf13ceec8c508
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
7054e09e939cb0fe23629b11e08c8f299d54694babb5db98df8ead30a9233866
FormBook
ab837860c80711ebd28b745c4794d39d6cdf49281404fac8bbbec29f3a5e1e24
FormBook
ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22
FormBook
b5ee70ba14a2bcb9936bd64d99ce7b51785ba328b16a0be49d47c10cba17980c
FormBook
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
FormBook
dea5303370177b621cdd1fd497396ddaa9e94d3edd1407339f52f0dc85a67046
FormBook
e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
FormBook
f163f4788da0d445dec687df7d215b6af3c4bea10589fa268e6aff20ff335510
FormBook
+ 5'078 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-8h3n2cqr5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.tromagy.com/bhy/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

uue c7008ee8706eae555c67c397a6145135de3e8f1a862e8af1e98920fb368f4efe

FormBook

Executable exe 787e032a02ff81b42fa794cc31a55e149cee73a366fa3980bb8da4d05c511834

(this sample)

  
Dropped by
MD5 c70e6a8288b0b31b3d5704a8b7f3a782
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c7008ee8706eae555c67c397a6145135de3e8f1a862e8af1e98920fb368f4efe
Cape
Cape
https://www.capesandbox.com/analysis/10075/

Comments