MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1
SHA3-384 hash: 95160946891b40be25d2e49aad8da73cd38bc5e6896a38de70d1d6b88dda8419c195acd8b4a9f2d000e50a5b866ec2e1
SHA1 hash: c242cd8c52fc8ad23c64d250b7f1413acd9d90d0
MD5 hash: ac297ca5163977ba16dcaccee8d21e2b
humanhash: oregon-zebra-bluebird-arizona
File name:M+S H2O Quotation.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:717'312 bytes
First seen:2020-07-21 07:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:+KtOV/nAR2f8eng8s2Bclnqb+dGfrBk9VaonKG5dSNz:+zjf8eng7qbAyeionx+z
Threatray 4'968 similar samples on MalwareBazaar
TLSH FBE4AE40D7F84AD9E7BA07B9E461005087B2B41AA7E6E7591B90F4ED1862353CB33F63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.megatroncorp.community
Sending IP: 162.241.205.158
From: Nurul Najwa <server@huttprimax.partners>
Reply-To: info-mpluss@europe.com
Subject: M+S H2O Ltd // Request For Quotation // 21.7.2020
Attachment: M+S H2O Quotation.zip (contains "M+S H2O Quotation.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29828/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392786
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248657 Sample: M+S H2O Quotation.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 41 www.rupee.store 2->41 49 Multi AV Scanner detection for domain / URL 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 5 other signatures 2->55 11 M+S H2O Quotation.exe 5 2->11         started        signatures3 process4 file5 39 C:\Users\user\...\M+S H2O Quotation.exe.log, ASCII 11->39 dropped 69 Injects a PE file into a foreign processes 11->69 15 M+S H2O Quotation.exe 11->15         started        signatures6 process7 signatures8 71 Modifies the context of a thread in another process (thread injection) 15->71 73 Maps a DLL or memory area into another process 15->73 75 Sample uses process hollowing technique 15->75 77 Queues an APC in another process (thread injection) 15->77 18 explorer.exe 1 4 15->18 injected process9 dnsIp10 43 www.skypharmacyrx2017.com 172.67.190.186, 49710, 80 CLOUDFLARENETUS United States 18->43 45 www.sunsethillliving.com 18->45 47 www.facebookmarketplaceimport.com 18->47 31 C:\Users\user\AppData\...\igfxzzxdzh.exe, PE32 18->31 dropped 57 System process connects to network (likely due to code injection or exploit) 18->57 59 Benign windows process drops PE files 18->59 23 msiexec.exe 1 18 18->23         started        file11 signatures12 process13 file14 33 C:\Users\user\AppData\...\946logrv.ini, data 23->33 dropped 35 C:\Users\user\AppData\...\946logri.ini, data 23->35 dropped 37 C:\Users\user\AppData\...\946logrf.ini, data 23->37 dropped 61 Detected FormBook malware 23->61 63 Tries to steal Mail credentials (via file access) 23->63 65 Tries to harvest and steal browser information (history, passwords, etc) 23->65 67 3 other signatures 23->67 27 cmd.exe 1 23->27         started        signatures15 process16 process17 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:42:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=porevh5kmi2vnc6yyl67g7pr5xphoobol2v63pqyks6pryyhiwqq._file
Verdict:
malicious
Similar samples:
0725fa234dd7f9bdcbcd0eef96c79017200f5c27676e4126a00c6d33e6601a5a
FormBook
2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5
FormBook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
FormBook
6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4
FormBook
ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671
FormBook
b45fb97506ddaaddd21207b75f9a877fd65fedc6324fc10a7d16381bdef232a1
FormBook
b73caeffe98a9035eefe1465bf9c883f306372f8b4ca2d18973fc18277781363
FormBook
c3aa64f063330b257fdd6f3d0dd8479b3a4877140b771b4ccf3cae4e10ffe4e9
FormBook
cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97
FormBook
ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352
FormBook
+ 4'958 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-2a7mkeby9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 7ef0d5913e693f9404b58bd0a1bdb944bc06ee8196b74d28f305852f14eef07e

FormBook

Executable exe 7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1

(this sample)

  
Dropped by
MD5 09e81bac1d78fcfc019ac163391482fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29828/
  
Dropped by
SHA256 7ef0d5913e693f9404b58bd0a1bdb944bc06ee8196b74d28f305852f14eef07e

Comments