MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d
SHA3-384 hash: c0be09f19c919101273050029643ba58103dc2ce496222abff5810d6f49a10c56399bd4f435b57ccdf996deb0f6e104c
SHA1 hash: 65aa28cce52a8499b34debbd00bbd170018ec54f
MD5 hash: f82f15e166c55ab97537985a9e10ea6d
humanhash: one-twelve-fifteen-snake
File name:prssh.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:431'616 bytes
First seen:2020-08-17 19:00:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Vv4EcmZHAFaxmVmie9bngP2Hsb9jEiua9+PMzxa2vXlppIn/OpjvsQaD:R4EcmZHAFaxmVmie9bngPqsdBua9+KEM
Threatray 2'252 similar samples on MalwareBazaar
TLSH 03946A4A38D0E3DED1E54FB958149C1627FA2F2A420A990FCC6B39D773D9BC1BD20466
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: cloudserver10.qpc.co.th
Sending IP: 203.154.39.142
From: Allen Yu Fu Xiang <Sales@darshanheat.com>
Subject: Re: Payment Proof of Overdue Balance// INV#2020
Attachment: INV2020.xlsx

FormBook payload URL:
http://103.114.106.11/prssh.exe

FormBook C2:
http://www.flekcht.com/bg6/

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47302/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.25387.9958.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/434677
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 269712 Sample: prssh.exe Startdate: 18/08/2020 Architecture: WINDOWS Score: 100 48 www.perocreations.com 2->48 50 parkingpage.namecheap.com 2->50 66 Malicious sample detected (through community Yara rule) 2->66 68 Yara detected FormBook 2->68 70 Machine Learning detection for sample 2->70 72 2 other signatures 2->72 12 prssh.exe 3 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\prssh.exe.log, ASCII 12->46 dropped 86 Writes to foreign memory regions 12->86 88 Injects a PE file into a foreign processes 12->88 16 RegSvcs.exe 12->16         started        signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 2 other signatures 16->64 19 explorer.exe 3 6 16->19 injected process9 dnsIp10 52 www.fifatee.com 19->52 54 www.bigexchanger.com 19->54 56 HDRedirect-LB5-1afb6e2973825a56.elb.us-east-1.amazonaws.com 23.20.239.12, 49747, 80 AMAZON-AESUS United States 19->56 40 C:\Users\user\AppData\...\6lup4d2dl43hq8.exe, PE32 19->40 dropped 74 System process connects to network (likely due to code injection or exploit) 19->74 76 Benign windows process drops PE files 19->76 24 rundll32.exe 1 17 19->24         started        28 6lup4d2dl43hq8.exe 2 19->28         started        30 6lup4d2dl43hq8.exe 1 19->30         started        file11 signatures12 process13 file14 42 C:\Users\user\AppData\...\L04logrv.ini, data 24->42 dropped 44 C:\Users\user\AppData\...\L04logri.ini, data 24->44 dropped 78 Detected FormBook malware 24->78 80 Tries to steal Mail credentials (via file access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 84 3 other signatures 24->84 32 cmd.exe 1 24->32         started        34 conhost.exe 28->34         started        signatures15 process16 process17 36 conhost.exe 32->36         started        process18 38 conhost.exe 36->38         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 12:10:02 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
48759dee612da5c1b36dfe7ce569a64c3e6528210ca830993cba1996db55ea87
Formbook
52e01cac4f5319a7d1177aae77861b4ad8f77b26581d089e948344d0e608b80b
Formbook
5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff
Formbook
5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97
Formbook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
Formbook
a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d
Formbook
ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671
Formbook
aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349
Formbook
b801afb5529bee671ee0219b95450122f641260b372695c89d7bdc5c2c227b65
Formbook
efaa9091d5aa1f64ae3b3c1258e90d5bb346e25e75ae3c4530ea9346380e2158
Formbook
+ 2'242 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200817-ewqnvc8caa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/bg6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx bea157ca27ef422f708a456a0269cc822807cdd461fdb1ad13e75c78aa150c15

Formbook

Executable exe 79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/435088/
  
Dropped by
MD5 a432e1909e981643e38779f92af4638e
  
Dropped by
SHA256 bea157ca27ef422f708a456a0269cc822807cdd461fdb1ad13e75c78aa150c15
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/47302/

Comments