MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce
SHA3-384 hash: 7357e08ccb5a051b10608a3f44d2e2b258f253eaa37e8243f88d098260799a4b73b264cce44a883237df25cc35e0de48
SHA1 hash: 9188fe76cd0b143687340688800c2f6833f75e28
MD5 hash: 8278ecd440cfe2a2ccdcac07f83f2aef
humanhash: angel-seven-batman-gee
File name:Swift001109733.Scan.pdf..exe
Download: download sample
Signature FormBook
Create hunting rule
File size:375'296 bytes
First seen:2020-08-06 04:42:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:DH87CiIt9xW9uQse97Q4n4rgTvPj6PpLPoWUrBFMVwp2xPVdliCUDnu8ntDG:DH87zIt9Mjse4gTvL6PpboWUrBKV1Z1P
Threatray 5'302 similar samples on MalwareBazaar
TLSH 7A84DF183C06935BF42D79750553E9F903DC8F0A080BD0ABABD96EDF3D6DEA85887162
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: jace.com
Sending IP: 45.127.62.110
From: David Díaz <madie@nisuysa.xyz>
Subject: RE: RE: Payment
Attachment: Swift001109733.Scan.pdf.rar (contains "Swift001109733.Scan.pdf..exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39984/
Detection(s):
SecuriteInfo.com.Generic.mg.8278ecd440cfe2a2.13433.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/412021
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce/
Threat name:
ByteCode-MSIL.Spyware.FormBook
Create hunting rule
Status:
Suspicious
First seen:
2020-08-05 21:28:44 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r6zltxaadko5ug2wsyydj5evpqz6cphvakvzmnrqcabvbqauhpha._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
08c04f257dbf34e406e95901c084a0f00efd77ab0bb4d03ba228ecb3f9260d7e
FormBook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
FormBook
8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9
FormBook
a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
a777ab5f9fd6e6aa4f4d70b5168f4358c849f3ab461a3d15d315c83fe351272d
FormBook
c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb
FormBook
fc7f170e0b18f35f5d150ec384f7d7db8cd790bdac22d469424515225ab30658
FormBook
+ 5'292 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan persistence spyware stealer family:formbook
Link:
https://tria.ge/reports/200806-2cgy685nkx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 7c0959839793448f2f11ccb2b181ef71ea776d54cb1363cac8093b10338c642f

FormBook

Executable exe 8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce

(this sample)

  
Dropped by
MD5 5463fbdcfcef76ef65a38f709c26e93c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39984/
  
Dropped by
SHA256 7c0959839793448f2f11ccb2b181ef71ea776d54cb1363cac8093b10338c642f

Comments