MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8463a584e6cc9d88c4971255edb22b51b3b89a8b87fce207b80d1adf61d5fcce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8463a584e6cc9d88c4971255edb22b51b3b89a8b87fce207b80d1adf61d5fcce
SHA3-384 hash: 21fc15d6d765c6f342cf61149dd5f255722a69971abf4f554a97a37915462a69fa8236bb8fbe24fbfe19dadb57739a97
SHA1 hash: 74ef29a37e96cedaadd988cd7d157f844b90f611
MD5 hash: 630ff7654144a9486c7553548b5c2b9c
humanhash: wolfram-delaware-mars-winner
File name:payment invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:303'104 bytes
First seen:2020-07-07 06:26:39 UTC
Last seen:2020-07-07 08:20:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:/xaIT3YMasZRaCxz1dpTNzqpvDsjnrCGSzhjElOtQWcKng/GS:kIrYMtd5MKnSzBElOWWPg/3
Threatray 5'286 similar samples on MalwareBazaar
TLSH C2540186B3A44317D87E07F9A8A2C1B403797E624635DB6D5DC42CCF79273248A81F6B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail0.506.simonleehung.casa
Sending IP: 46.101.184.147
From: Shabeer M. T <shabeermt@lamco.ae>
Subject: Re: Payment Assistance Due To Covid-19 Pandemic
Attachment: payment invoice.img (contains "payment invoice.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21862/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34130526.13745.6185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8463a584e6cc9d88c4971255edb22b51b3b89a8b87fce207b80d1adf61d5fcce/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 00:48:34 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrr2lbhgzsoyrrexcjk63mrlkgz3rgulq76oeb5ybunn6yov7tha._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0f2473906fd34a74c861e8a2bd8461213b0b82b7b6242087f9597ad9f700dae9
FormBook
51f4e86285f8cb8a14a0d456beed9f15882e4ec7813bc24ff4c20a2389d1ccd0
FormBook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
FormBook
61b48926bb6bbe4e308cf6e2c48345f50d2bda94f501915bd00a3139f9808e10
FormBook
7917f62cb4f64cd00ecd938bca8ce2bce08454813b608efca9dbac82aa9758c2
FormBook
89b0eacda4ef76a8251ca81f72a3ae643ec5da7a6c103c8b558e27a2d9b8f7c5
FormBook
97e006c5ca29100601289b632e22049f5d8f955c008073fea9791b13cd10849c
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
a361c3ef57783d4012857a289d088c19682187bb0b6f15eabb73865d1d54e180
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
+ 5'276 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-dwz1flk856/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 5162e5537eaf72f20d9868894a797331e2e01f1460eadb7f12a6a66a1c96d179

FormBook

Executable exe 8463a584e6cc9d88c4971255edb22b51b3b89a8b87fce207b80d1adf61d5fcce

(this sample)

  
Dropped by
MD5 740770f1fec614517dd0dd7c42bad8de
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5162e5537eaf72f20d9868894a797331e2e01f1460eadb7f12a6a66a1c96d179
Cape
Cape
https://www.capesandbox.com/analysis/21862/

Comments