MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a42a2ba28ab9ea27b4972e5a8f5c5c066663e3d6427812f0621208bef33ea10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a42a2ba28ab9ea27b4972e5a8f5c5c066663e3d6427812f0621208bef33ea10
SHA3-384 hash: dc00ac5acb5a99419af876f947d1d2197d37e9ff088c12c0b6cd31a130a951392ad97735ec3b949f917d4dc834274f87
SHA1 hash: afa10e4e1406edacb9912f628cd1174d4b9b3420
MD5 hash: 4f35b67046e957d8b66d3a6748abdd73
humanhash: november-yellow-video-oxygen
File name:Order012.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:641'024 bytes
First seen:2020-07-19 09:31:57 UTC
Last seen:2020-07-19 11:11:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash adffce47f22050cf5b8ff3ba2e79cb3f (1 x Formbook)
ssdeep 12288:tB/aceyJY1FpCS93iLgMn4f/H2ETEktvOIpcJpWNNHCf0u1Rak+0f0FxPGyO01lu:ry1GupCSKHETwxONJPF5GyO0
Threatray 5'130 similar samples on MalwareBazaar
TLSH 45D48E72F6514837C56316789C0B53F8682ABE103D28EC867BFD2E4C5F396A139391A7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27764/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389683
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247015 Sample: Order012.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 58 www.floyspoetry.com 2->58 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 Sigma detected: Steal Google chrome login data 2->100 102 8 other signatures 2->102 10 Order012.exe 1 16 2->10         started        signatures3 process4 dnsIp5 68 cdn.discordapp.com 162.159.129.233, 443, 49720, 49730 CLOUDFLARENETUS United States 10->68 54 C:\Users\user\AppData\Local\...behaviorgraphhrvfck.exe, PE32 10->54 dropped 118 Creates multiple autostart registry keys 10->118 120 Modifies the context of a thread in another process (thread injection) 10->120 122 Maps a DLL or memory area into another process 10->122 124 3 other signatures 10->124 15 explorer.exe 8 6 10->15 injected file6 signatures7 process8 dnsIp9 72 remotesensingsolutions.net 198.71.233.227, 49728, 80 AS-26496-GO-DADDY-COM-LLCUS United States 15->72 74 www.remotesensingsolutions.net 15->74 76 2 other IPs or domains 15->76 46 C:\Users\user\AppData\Local\...\ms1bfxcld.exe, PE32 15->46 dropped 92 System process connects to network (likely due to code injection or exploit) 15->92 94 Benign windows process drops PE files 15->94 20 NETSTAT.EXE 1 19 15->20         started        24 mshta.exe 19 15->24         started        26 mshta.exe 19 15->26         started        28 4 other processes 15->28 file10 signatures11 process12 dnsIp13 48 C:\Users\user\AppData\...\--5logrv.ini, data 20->48 dropped 50 C:\Users\user\AppData\...\--5logri.ini, data 20->50 dropped 52 C:\Users\user\AppData\...\--5logrf.ini, data 20->52 dropped 104 Detected FormBook malware 20->104 106 Tries to steal Mail credentials (via file access) 20->106 108 Creates multiple autostart registry keys 20->108 116 2 other signatures 20->116 31 cmd.exe 20->31         started        35 cmd.exe 1 20->35         started        37 Ghrvfck.exe 13 24->37         started        40 Ghrvfck.exe 13 26->40         started        70 cdn.discordapp.com 28->70 110 Modifies the context of a thread in another process (thread injection) 28->110 112 Maps a DLL or memory area into another process 28->112 114 Sample uses process hollowing technique 28->114 file14 signatures15 process16 dnsIp17 56 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->56 dropped 78 Tries to harvest and steal browser information (history, passwords, etc) 31->78 42 conhost.exe 31->42         started        44 conhost.exe 35->44         started        60 162.159.135.233, 443, 49725 CLOUDFLARENETUS United States 37->60 62 cdn.discordapp.com 37->62 80 Multi AV Scanner detection for dropped file 37->80 82 Machine Learning detection for dropped file 37->82 84 Modifies the context of a thread in another process (thread injection) 37->84 86 Tries to detect virtualization through RDTSC time measurements 37->86 64 162.159.133.233, 443, 49727 CLOUDFLARENETUS United States 40->64 66 cdn.discordapp.com 40->66 88 Maps a DLL or memory area into another process 40->88 90 Sample uses process hollowing technique 40->90 file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a42a2ba28ab9ea27b4972e5a8f5c5c066663e3d6427812f0621208bef33ea10/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-07-19 09:33:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjbkforivopke62jols2r5ofybtgmpr5mqtyclygeeqix3zt5iia._file
Verdict:
malicious
Similar samples:
0211865d58af36be2009eb29a77a400355a4cb7b8542d6359a6fa304c3f7d935
Formbook
0df0a487b38b5d9bdbc8e2c05ba4c639dfe09969f5f68c85da43b46c16a48f6b
Formbook
0e7ec69a6222b2753c0167997838b380acfd47834a6d1e7dd2475fd4fe07d63c
Formbook
18dc7ad4fd5ffd0ec8b8f12884b41f3ace4e2ba95f704175ebf0a0eead74ba36
Formbook
1f6b6d481b672f8ed428a044ebffa9e16424317c0081aad3c00cb61a547b90b5
Formbook
560c76df97fdc5816fa9310921082a04b44b781e60bc77f84b970df04a36d1f4
Formbook
6715e87f7070a2d7b5b2c71e98a7bade689a504aed3b95654af3494248a501d4
Formbook
b04cf62e1182fdae7ca1805ccc467ccd6d9a0db1a3a7419a9d6a2b5e41419d06
Formbook
cac635b83d0ee884f8d8bbce419b4c9d13273f4a10c450c2ea50830dc683e3ac
Formbook
ea12fb909266d6a6f7315c8ffe0fcedb6b63ba660cd91e7c2ac4e6db14596171
Formbook
+ 5'120 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200719-dpm4p5e4ze/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a42a2ba28ab9ea27b4972e5a8f5c5c066663e3d6427812f0621208bef33ea10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 7a42a2ba28ab9ea27b4972e5a8f5c5c066663e3d6427812f0621208bef33ea10

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27764/

Comments