MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b
SHA3-384 hash: 718d3ec279d0c5c765f8b4c423d24daaa7f2eea28ba81fed314bb7f874954e81e377a953a49e2c2ed7cc7e4b135865ab
SHA1 hash: 8f03158dbe6edd2a6fdbedbf860f5905030202e1
MD5 hash: e90d5fb481511c5d3c844529fe20ee00
humanhash: winter-yellow-delaware-washington
File name:Purchase Order-0096005.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:588'288 bytes
First seen:2020-07-29 05:26:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:p0kmpsMIhHkXVaahAwoqIv7620QuWl3H94k+:ekdXsAwZq7l3H4
Threatray 5'190 similar samples on MalwareBazaar
TLSH 53C4CF19B6B0ED16E2BE61F5E19C1118CFFCC983526BF3056873B2AB16E73A2D601171
Reporter abuse_ch
Tags:exe FormBook Hostwinds


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-752572.hostwindsdns.com
Sending IP: 104.168.237.25
From: Adnan Nathanial <info@mv-exports.com>
Subject: Purchase Order/Taraz Technologies-TR27072020
Attachment: Purchase Order-0096005.zip (contains "Purchase Order-0096005.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34130/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401197
Signature
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252813 Sample: Purchase Order-0096005.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 61 www.yofdyk.com 2->61 69 Multi AV Scanner detection for domain / URL 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 8 other signatures 2->75 11 Purchase Order-0096005.exe 1 2->11         started        signatures3 process4 file5 53 C:\Users\...\Purchase Order-0096005.exe.log, ASCII 11->53 dropped 14 Purchase Order-0096005.exe 11->14         started        process6 signatures7 93 Modifies the context of a thread in another process (thread injection) 14->93 95 Maps a DLL or memory area into another process 14->95 97 Sample uses process hollowing technique 14->97 99 Queues an APC in another process (thread injection) 14->99 17 explorer.exe 3 6 14->17 injected process8 dnsIp9 55 balancer.wixdns.net 35.242.251.130, 49746, 49749, 49750 GOOGLEUS United States 17->55 57 www.products-news.com 204.11.56.48, 49744, 80 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 17->57 59 3 other IPs or domains 17->59 47 C:\Users\user\AppData\Local\...\xto4h5jl.exe, PE32 17->47 dropped 77 System process connects to network (likely due to code injection or exploit) 17->77 79 Benign windows process drops PE files 17->79 22 WWAHost.exe 17->22         started        26 xto4h5jl.exe 17->26         started        28 xto4h5jl.exe 17->28         started        30 control.exe 17->30         started        file10 signatures11 process12 file13 49 C:\Users\user\AppData\...\0L0logrv.ini, data 22->49 dropped 51 C:\Users\user\AppData\...\0L0logri.ini, data 22->51 dropped 81 Detected FormBook malware 22->81 83 Tries to steal Mail credentials (via file access) 22->83 85 Tries to harvest and steal browser information (history, passwords, etc) 22->85 91 2 other signatures 22->91 32 cmd.exe 22->32         started        87 Injects a PE file into a foreign processes 26->87 34 xto4h5jl.exe 26->34         started        37 xto4h5jl.exe 28->37         started        39 xto4h5jl.exe 28->39         started        41 xto4h5jl.exe 28->41         started        43 xto4h5jl.exe 28->43         started        89 Tries to detect virtualization through RDTSC time measurements 30->89 signatures14 process15 signatures16 45 conhost.exe 32->45         started        63 Modifies the context of a thread in another process (thread injection) 37->63 65 Maps a DLL or memory area into another process 37->65 67 Sample uses process hollowing technique 37->67 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 05:27:10 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgaz3owboykhwffypasqwq6rsveejzxq2s5m5c2ga65niqc4vfvq._file
Verdict:
malicious
Similar samples:
0cd37496a09d3516103a2ba627f8c4bc9ba2eb99b0618d719a3fa9d708b9862d
FormBook
0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
FormBook
1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8
FormBook
4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568
FormBook
65cd6807556189c85811f11fb91a981749e7d9760e5a72c0845dd6b8ff93a8f9
FormBook
773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6
FormBook
7f4d53805b50624cb5e92857423661c3aef89e24c4ca63e79fdf62cbe2cb694c
FormBook
8c0b9f69c227d86700be2a4dc67460fa30e46610e444a7dbe143a9bc5bda1297
FormBook
bb0c96dd4021c9d4f7b7f85ce5372ef74f7ba8c1a257d2c152db052020219799
FormBook
e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9
FormBook
+ 5'180 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200729-2cv25j84ls/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip c3e06adac1de1ffc979fb03a2568122dd2d9df5317ac929c65b992502613a073

FormBook

Executable exe 89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b

(this sample)

  
Dropped by
MD5 1ebd9f034bf51511c62005f93a9cd7f4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34130/
  
Dropped by
SHA256 c3e06adac1de1ffc979fb03a2568122dd2d9df5317ac929c65b992502613a073

Comments