MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a65842e4b600e556b4373b55c29508315f3b3acea33075e32d380f6ae606392. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a65842e4b600e556b4373b55c29508315f3b3acea33075e32d380f6ae606392
SHA3-384 hash: 6ac6dde98a5409da97c33489d974f82f6771f4f4a5da20e1390fad4ef0a6af9d2d6776d76f55bb8cc69d7b458fffb0b7
SHA1 hash: c6c91c402a6d545aa6d039e13d8b38a7fe0ec263
MD5 hash: 82cd697bd01d6bab53f40465f9f57ab7
humanhash: sierra-fix-lima-oscar
File name:new_order_#524_for_august.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:833'024 bytes
First seen:2020-08-12 09:57:18 UTC
Last seen:2020-08-12 10:46:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ebcPgYxmOy+2Do4pPeRH89fiL0NOCTfNg1E02dIyo7bryy7ODV8:/IYxPYVZlQ0YCTfYE0vyRV
Threatray 5'309 similar samples on MalwareBazaar
TLSH 3005AEC1F1409E50E81A4E3A893359914B33AC6BEF02C607349CB6597BF76D66A35F83
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44050/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.845.28922.13534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/422008
Signature
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 263499 Sample: new_order_#524_for_august.exe Startdate: 13/08/2020 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Yara detected AntiVM_3 2->59 61 Yara detected FormBook 2->61 63 7 other signatures 2->63 10 new_order_#524_for_august.exe 3 2->10         started        process3 file4 47 C:\...\new_order_#524_for_august.exe.log, ASCII 10->47 dropped 75 Tries to detect virtualization through RDTSC time measurements 10->75 77 Injects a PE file into a foreign processes 10->77 79 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->79 14 new_order_#524_for_august.exe 10->14         started        17 new_order_#524_for_august.exe 10->17         started        19 new_order_#524_for_august.exe 10->19         started        signatures5 process6 signatures7 93 Modifies the context of a thread in another process (thread injection) 14->93 95 Maps a DLL or memory area into another process 14->95 97 Sample uses process hollowing technique 14->97 99 Queues an APC in another process (thread injection) 14->99 21 explorer.exe 3 6 14->21 injected process8 dnsIp9 53 www.kontaktleader.net 145.239.239.111, 49738, 80 OVHFR France 21->53 55 www.cobuysell.net 21->55 45 C:\Users\user\AppData\...\glep9ro8pfbp.exe, PE32 21->45 dropped 71 System process connects to network (likely due to code injection or exploit) 21->71 73 Benign windows process drops PE files 21->73 26 cmstp.exe 1 17 21->26         started        30 glep9ro8pfbp.exe 3 21->30         started        32 glep9ro8pfbp.exe 2 21->32         started        34 4 other processes 21->34 file10 signatures11 process12 file13 49 C:\Users\user\AppData\...\48-logrv.ini, data 26->49 dropped 51 C:\Users\user\AppData\...\48-logri.ini, data 26->51 dropped 81 Detected FormBook malware 26->81 83 Tries to steal Mail credentials (via file access) 26->83 85 Tries to harvest and steal browser information (history, passwords, etc) 26->85 91 2 other signatures 26->91 36 cmd.exe 1 26->36         started        87 Injects a PE file into a foreign processes 30->87 38 glep9ro8pfbp.exe 30->38         started        41 glep9ro8pfbp.exe 32->41         started        89 Tries to detect virtualization through RDTSC time measurements 34->89 signatures14 process15 signatures16 43 conhost.exe 36->43         started        65 Modifies the context of a thread in another process (thread injection) 38->65 67 Maps a DLL or memory area into another process 38->67 69 Sample uses process hollowing technique 38->69 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a65842e4b600e556b4373b55c29508315f3b3acea33075e32d380f6ae606392/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 17:44:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
Formbook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
Formbook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
Formbook
3d77c2490675a0f4e86f55ac8751a9a1912cd56bd168d9ae6c110cc385a65872
Formbook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
Formbook
5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f
Formbook
95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6
Formbook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
Formbook
aaf7a834529623fa776d9574d7026a9a40148fec3b8d598e8e8dfced91973760
Formbook
c8b1244a4aa61a5efc1d6ced3ae0407111574eda81cbe9f01f269e5fae9bf4b5
Formbook
+ 5'299 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200812-lkg6ts261s/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.patlod.com/vts/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7a65842e4b60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a65842e4b600e556b4373b55c29508315f3b3acea33075e32d380f6ae606392

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z d5b41bc327c153b132623ccb82efc519e56065661945e9701d1a7e748a560dc0

Formbook

Executable exe 7a65842e4b600e556b4373b55c29508315f3b3acea33075e32d380f6ae606392

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d5b41bc327c153b132623ccb82efc519e56065661945e9701d1a7e748a560dc0
Cape
Cape
https://www.capesandbox.com/analysis/44050/

Comments