MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6
SHA3-384 hash:	5a03cdcbb3d25bd67a9ab7a00a5adf9dd5456c1c7e53e22f3228db14193b974dbfe9d2d76e703dcecda2fedcd386a773
SHA1 hash:	b5def030dbafa68a8c9d5efa0d2070caf508e555
MD5 hash:	4ac78251425bb60d7d053aca73ec9f6e
humanhash:	illinois-hotel-oranges-mars
File name:	new_order_#55353_august_8-4-20.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	833'536 bytes
First seen:	2020-08-04 13:36:17 UTC
Last seen:	2020-08-04 15:22:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:aHEh2HcPgYxmOE+2Do4pPeRH89fuZch650WNja4bQRIUx1LdHDVY:PIYxPeVZl8vxUxrV
Threatray	5'117 similar samples on MalwareBazaar
TLSH	90059EC1F5409A50D8694E3B493389924B33AC6BEF02C607349CB6597BF72D66A35F83
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing unidentified malware:

HELO: cojix.com
Sending IP: 45.127.62.16
From: Purchasing <dorothy@elwood.cf>
Subject: new order for august
Attachment: new_order_55353_august_8-4-20.iso (contains "new_order_#55353_august_8-4-20.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

77

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38739/

Detection(s):

Sanesecurity.Rogue.0hr.20200804-1203.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/409516

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-04 13:38:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sv4cyyx3lh2jps6mmkjhwijo3slq3g3qyh2vdmxglb7mdfx6dp3a._file

Verdict:

malicious

Similar samples:

16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e

347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32

3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270

3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0

590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23

6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697

7a65842e4b600e556b4373b55c29508315f3b3acea33075e32d380f6ae606392

9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264

d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

f3a30108ab40b7f31ad7ad191bb41bd3ad148d09597705c1ec0bc0352d18c29e

+ 5'107 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200804-13qeb6z15n/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 791c00d93a43ada3324bdc0ba6676828896400d70169c14b8d0f5e742db20f51

exe 95782c62fb59f497cbcc62927b212edc970d9b70c1f551b2e6587ec196fe1bf6

(this sample)

Dropped by

MD5 0f04e9786f4468d21580ac194d1853ef

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/38739/

Dropped by

SHA256 791c00d93a43ada3324bdc0ba6676828896400d70169c14b8d0f5e742db20f51

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample