MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2
SHA3-384 hash: 1d8f2ef861cc9e745b9a27cbbc6f7b35d76ff781eec73c23980aafd2bd18db21b984cd1f2640224019edf549c1888070
SHA1 hash: 650a237a92741d9ddc4a6467d179e679a5c8ae6e
MD5 hash: 64e041d709a1b6d2b8ae678e0ba63c5b
humanhash: rugby-orange-foxtrot-ohio
File name:Proforma Doc.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:274'944 bytes
First seen:2020-07-20 12:05:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ykVptM0eETEttzVyjPJaPyBxWOt1n5wFOviFlN4Ln/DF9cZ:ykVptM0eETEHzePJiMxWON8OGlN4D/Di
Threatray 3'211 similar samples on MalwareBazaar
TLSH AC44D041F359273BCA59E67CA0B16F1D4671AF55A233F349D96860AF88263D0878233F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: unitechsystem.com
Sending IP: 95.211.253.194
From: Aadila Al Shanfari<adila.Shanfari@unitechsystem.com>
Subject: Re: Notice Of Payment release and confirmation of bank details
Attachment: Proforma Doc.zip (contains "Proforma Doc.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29072/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.27075.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391538
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248144 Sample: Proforma Doc.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 92 www.petslifeimp.com 2->92 94 www.howcuty.com 2->94 120 Multi AV Scanner detection for domain / URL 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for dropped file 2->124 126 9 other signatures 2->126 13 Proforma Doc.exe 4 2->13         started        signatures3 process4 file5 86 C:\Users\user\s.exe, PE32 13->86 dropped 88 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 13->88 dropped 90 C:\Users\user\s.exe:Zone.Identifier, ASCII 13->90 dropped 170 Maps a DLL or memory area into another process 13->170 172 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->172 17 Proforma Doc.exe 1 13->17         started        20 RegAsm.exe 13->20         started        signatures6 process7 signatures8 102 Maps a DLL or memory area into another process 17->102 22 Proforma Doc.exe 1 17->22         started        25 RegAsm.exe 17->25         started        27 RegAsm.exe 17->27         started        29 RegAsm.exe 17->29         started        104 Modifies the context of a thread in another process (thread injection) 20->104 106 Sample uses process hollowing technique 20->106 108 Tries to detect virtualization through RDTSC time measurements 20->108 110 Queues an APC in another process (thread injection) 20->110 31 explorer.exe 2 6 20->31 injected process9 dnsIp10 148 Maps a DLL or memory area into another process 22->148 35 Proforma Doc.exe 1 22->35         started        38 RegAsm.exe 22->38         started        150 Modifies the context of a thread in another process (thread injection) 25->150 152 Sample uses process hollowing technique 25->152 96 alexandriarogers.com 162.241.216.17, 49734, 80 UNIFIEDLAYER-AS-1US United States 31->96 98 www.xglhc22.com 31->98 100 2 other IPs or domains 31->100 76 C:\Users\user\AppData\Local\...\6lp5jkdfh.exe, PE32 31->76 dropped 154 System process connects to network (likely due to code injection or exploit) 31->154 156 Benign windows process drops PE files 31->156 40 cmd.exe 1 19 31->40         started        43 wscript.exe 31->43         started        45 chkdsk.exe 31->45         started        47 6 other processes 31->47 file11 signatures12 process13 file14 128 Maps a DLL or memory area into another process 35->128 49 Proforma Doc.exe 35->49         started        52 RegAsm.exe 35->52         started        130 Modifies the context of a thread in another process (thread injection) 38->130 132 Sample uses process hollowing technique 38->132 80 C:\Users\user\AppData\...\56Rlogrv.ini, data 40->80 dropped 82 C:\Users\user\AppData\...\56Rlogri.ini, data 40->82 dropped 84 C:\Users\user\AppData\...\56Rlogrf.ini, data 40->84 dropped 134 Detected FormBook malware 40->134 136 Tries to steal Mail credentials (via file access) 40->136 138 Tries to harvest and steal browser information (history, passwords, etc) 40->138 54 cmd.exe 40->54         started        57 cmd.exe 1 40->57         started        140 Tries to detect virtualization through RDTSC time measurements 43->140 signatures15 process16 file17 112 Maps a DLL or memory area into another process 49->112 59 Proforma Doc.exe 49->59         started        62 RegAsm.exe 49->62         started        114 Modifies the context of a thread in another process (thread injection) 52->114 116 Sample uses process hollowing technique 52->116 78 C:\Users\user\AppData\Local\Temp\DB1, SQLite 54->78 dropped 118 Tries to harvest and steal browser information (history, passwords, etc) 54->118 64 conhost.exe 54->64         started        66 conhost.exe 57->66         started        signatures18 process19 signatures20 164 Maps a DLL or memory area into another process 59->164 68 Proforma Doc.exe 59->68         started        71 RegAsm.exe 59->71         started        166 Modifies the context of a thread in another process (thread injection) 62->166 168 Sample uses process hollowing technique 62->168 process21 signatures22 142 Maps a DLL or memory area into another process 68->142 73 RegAsm.exe 68->73         started        144 Modifies the context of a thread in another process (thread injection) 71->144 146 Sample uses process hollowing technique 71->146 process23 signatures24 158 Modifies the context of a thread in another process (thread injection) 73->158 160 Maps a DLL or memory area into another process 73->160 162 Sample uses process hollowing technique 73->162
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 12:07:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwhqy3642aq7chkb4pnhkipmpdsumdppes6wd57lcwdzpch27tba._file
Verdict:
malicious
Similar samples:
387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d
FormBook
714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
FormBook
7da1749d927d6d2f4f8175bb1cef8c4a92793b107d24d661d83bd55c57e83df8
FormBook
9b861daa0a7b4276df89a7ec49d2dd3388366ad60a3058df70525313799a0d05
FormBook
a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
c79a75bdb7f50439434aef1de18f5eaa857b9c0affd00f8e40ef85348df6cf57
FormBook
d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472
FormBook
d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9
FormBook
fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c
FormBook
+ 3'201 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200720-dgdw8wg552/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Gathers network information
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Reads user/profile data of web browsers
Drops startup file
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip c96692ae8abe08d8fdd8627fdef74513a6843350f57aaa6afdf4390de0cdd3a3

FormBook

Executable exe 8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2

(this sample)

  
Dropped by
MD5 7496ff994aa3673fa3b3e257a69dc7ec
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29072/
  
Dropped by
SHA256 c96692ae8abe08d8fdd8627fdef74513a6843350f57aaa6afdf4390de0cdd3a3

Comments