MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b
SHA3-384 hash: c903cf77faf9f1d37f9b4cf9080533e5aea5699d36bcf2776157b208bcb4aac3837a5cb02d6f269b436eb805e99a4cd2
SHA1 hash: 202b2ec16b3d8e8cca9b28e5c4a4d2f906111aaa
MD5 hash: 1dca9cc9568965d362a359e235daa517
humanhash: black-hawaii-venus-victor
File name:Sample__IMG.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:471'552 bytes
First seen:2020-08-19 12:32:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SCaLCJuGfSN0elyiFpHPh8ACrT+1AI4A0kaeO9:Fk1N0e4i7Ph8NryiI4ACe
Threatray 2'271 similar samples on MalwareBazaar
TLSH 98A401D43AC88B25D73D0BBC9821710023F7D1F1E32ECBADFF8955A115E66658A9B072
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: zmxrelay.ifxnetworks.com
Sending IP: 200.91.200.67
From: gestion humana <gestionhumana@sotrandes.com>
Subject: ORDEN
Attachment: Sample__IMG.rar (contains "Sample__IMG.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48504/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437946
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271463 Sample: Sample__IMG.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 Yara detected AntiVM_3 2->51 53 9 other signatures 2->53 8 Sample__IMG.exe 8 2->8         started        process3 file4 29 C:\Users\user\AppData\...\izCaYdsjvZ.exe, PE32 8->29 dropped 31 C:\Users\...\izCaYdsjvZ.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\...\tmp762F.tmp, XML 8->33 dropped 35 2 other files (1 malicious) 8->35 dropped 57 Tries to detect virtualization through RDTSC time measurements 8->57 59 Injects a PE file into a foreign processes 8->59 12 Sample__IMG.exe 8->12         started        15 schtasks.exe 1 8->15         started        17 Sample__IMG.exe 8->17         started        signatures5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 12->69 71 Maps a DLL or memory area into another process 12->71 73 Sample uses process hollowing technique 12->73 75 Queues an APC in another process (thread injection) 12->75 19 explorer.exe 12->19 injected 23 conhost.exe 15->23         started        process8 dnsIp9 41 www.browbarofficial.com 203.170.80.250, 49738, 49739, 49740 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 19->41 43 www.harrystockton.com 19->43 45 2 other IPs or domains 19->45 55 System process connects to network (likely due to code injection or exploit) 19->55 25 wscript.exe 17 19->25         started        signatures10 process11 file12 37 C:\Users\user\AppData\...\0MPlogrv.ini, data 25->37 dropped 39 C:\Users\user\AppData\...\0MPlogri.ini, data 25->39 dropped 61 Detected FormBook malware 25->61 63 Tries to steal Mail credentials (via file access) 25->63 65 Tries to harvest and steal browser information (history, passwords, etc) 25->65 67 3 other signatures 25->67 signatures13
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 12:34:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcjveckiqdrx3h5y2b6kszmdt5mvvrnyegmw6quqcsorqfmydj5q._file
Verdict:
malicious
Similar samples:
2047ecb45a1bd7dad219077cd5446bffc34fdc7acad3d3293c576fc187b08996
FormBook
4cc50598ab30ac06a20ce6a6a56deedb59ecb519a814ac791b194f49b63a7daa
FormBook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
FormBook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
FormBook
61ce5023167c9a25d41656e8bd12b05769fac072fc6edf6024641ae2c77c8ece
FormBook
6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
FormBook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
a6e562d91aecb4f9ee29779f6d23d4de1e58460e5d3e15182ff1c1ff0ce76610
FormBook
cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942
FormBook
+ 2'261 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200819-ceaap3gr9j/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.doneym.com/bll/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 6a0432bd3584468e87660ab8034b919ad26f3d4512054fa4568281b8a9578a20

FormBook

Executable exe 889352094880e37d9fb8d07ca965839f595ac5b821996f4290149d1815981a7b

(this sample)

  
Dropped by
MD5 29776b8a55b9890ea06d2cb034a9ce03
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48504/
  
Dropped by
SHA256 6a0432bd3584468e87660ab8034b919ad26f3d4512054fa4568281b8a9578a20

Comments