MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec
SHA3-384 hash: 80e027353c641a1f66758896f82111374621029adb391796ecd6d6be3f05bab3f0fc97a1c24055ce2ce5660fbce78396
SHA1 hash: 35d1fcf6148587a87d300328408f07ad0135fe00
MD5 hash: dc30d5dfa6284957badb67895cbe8860
humanhash: pip-single-nineteen-edward
File name:MSC DIANA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:618'496 bytes
First seen:2020-08-06 08:01:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:A8EUrc7iGO4DZo4wlAJGOK2eNMmDqdYH+0Ud8vY:7BcysZTwlAfK2KM7YHpUd8w
Threatray 4'950 similar samples on MalwareBazaar
TLSH 93D4BEE1D2244AD7E57C103841251C81D9F19D2AA6A5FADDFCA630D519E3BD30B3BC1B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.esipooaintl.cf
Sending IP: 161.129.67.157
From: bcjung <bcjung@mscnbs.com>
Subject: FW: MSC DIANA REPAIR REQUIREMENT
Attachment: MSC DIANA.zip (contains "MSC DIANA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40365/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412587
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 258561 Sample: MSC DIANA.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 100 63 Malicious sample detected (through community Yara rule) 2->63 65 Yara detected AntiVM_3 2->65 67 Yara detected FormBook 2->67 69 5 other signatures 2->69 10 MSC DIANA.exe 3 2->10         started        process3 file4 47 C:\Users\user\AppData\...\MSC DIANA.exe.log, ASCII 10->47 dropped 85 Injects a PE file into a foreign processes 10->85 14 MSC DIANA.exe 10->14         started        signatures5 process6 signatures7 87 Modifies the context of a thread in another process (thread injection) 14->87 89 Maps a DLL or memory area into another process 14->89 91 Sample uses process hollowing technique 14->91 93 Queues an APC in another process (thread injection) 14->93 17 explorer.exe 4 6 14->17 injected process8 dnsIp9 49 www.ecommerceinfos.com 82.223.212.218, 49734, 49735, 49736 ONEANDONE-ASBrauerstrasse48DE Spain 17->49 51 www.yofdyk.com 198.187.30.54, 49737, 49738, 49739 NAMECHEAP-NETUS United States 17->51 53 www.atraliving.com 94.136.40.51, 49726, 80 GD-EMEA-DC-LD5GB United Kingdom 17->53 41 C:\Users\user\AppData\...\nnudyd5jupldzp.exe, PE32 17->41 dropped 71 System process connects to network (likely due to code injection or exploit) 17->71 73 Benign windows process drops PE files 17->73 22 systray.exe 1 17 17->22         started        26 nnudyd5jupldzp.exe 3 17->26         started        28 nnudyd5jupldzp.exe 2 17->28         started        30 2 other processes 17->30 file10 signatures11 process12 file13 43 C:\Users\user\AppData\...\4-5logrv.ini, data 22->43 dropped 45 C:\Users\user\AppData\...\4-5logri.ini, data 22->45 dropped 75 Detected FormBook malware 22->75 77 Tries to steal Mail credentials (via file access) 22->77 79 Tries to harvest and steal browser information (history, passwords, etc) 22->79 83 3 other signatures 22->83 32 cmd.exe 1 22->32         started        81 Injects a PE file into a foreign processes 26->81 35 nnudyd5jupldzp.exe 26->35         started        37 nnudyd5jupldzp.exe 28->37         started        signatures14 process15 signatures16 55 Tries to detect virtualization through RDTSC time measurements 32->55 39 conhost.exe 32->39         started        57 Modifies the context of a thread in another process (thread injection) 37->57 59 Maps a DLL or memory area into another process 37->59 61 Sample uses process hollowing technique 37->61 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 04:12:48 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3c5mzx7dlyece7sfsacstnzk27n75ashzm65es4kwb4i63xstwa._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
Formbook
0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
Formbook
112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818
Formbook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
Formbook
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
Formbook
9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8
Formbook
bb0c96dd4021c9d4f7b7f85ce5372ef74f7ba8c1a257d2c152db052020219799
Formbook
d826e50de7b11772bc48d32d0f75b72a7975e469cfe9583a51edbd9bbaa58387
Formbook
de4a1ed43a149b646a258a5b119270c2c38da15f4b90ed9821d9e1e3527e8ed8
Formbook
e04b0836667f55bcc1778c62761c99af52cb5c42c14cef3962531512def2944b
Formbook
+ 4'940 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200806-32anymxanx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7466143aea3247a4b8e352e6300794cb5613cfb7490f4eba27fc836e4d7c6ac5

Formbook

Executable exe 8ec5d666ff1af04113f22c80294db956bedff4123e59ee925c5583c47b7794ec

(this sample)

  
Dropped by
MD5 a5ebb08f65046219e8fb3f9cb0c0063b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40365/
  
Dropped by
SHA256 7466143aea3247a4b8e352e6300794cb5613cfb7490f4eba27fc836e4d7c6ac5

Comments