MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019
SHA3-384 hash: b12677f2dd7f6f68669c3c7dbbf5d280408db9c4af155754572dbce26ab333768065ab0ce4ed3acceabbba7c3acb74d7
SHA1 hash: 928e37617ffc4059d4d82a4e47262491bf95f1bd
MD5 hash: 1f283fe8f4692c9b1916b9b3201c50fd
humanhash: fillet-massachusetts-beer-connecticut
File name:Product_inquiry_list,pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:721'408 bytes
First seen:2020-07-21 09:19:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:5rzZ1q9I6/kldSCGDyaod+ik4g8y3SoDksEKhUH899SViQE2Ccvnu:5pOPW2rEloDfHhUc/SuUvu
Threatray 5'242 similar samples on MalwareBazaar
TLSH D2E4E0DD5A502407C5BD1EBC8F5AC6B847309D10F6F2A74E17D1BDAE2A79383E4072A2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.moenepa.cf
Sending IP: 160.251.11.99
From: INDUSUNO PVT LTD <admin@moenepa.cf>
Subject: RFQ Urgent Equipments
Attachment: Product_inquiry_list,pdf.iso (contains "Product_inquiry_list,pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29919/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392896
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248791 Sample: Product_inquiry_list,pdf.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 7 other signatures 2->70 10 Product_inquiry_list,pdf.exe 1 2->10         started        process3 file4 50 C:\Users\...\Product_inquiry_list,pdf.exe.log, ASCII 10->50 dropped 82 Tries to detect virtualization through RDTSC time measurements 10->82 84 Injects a PE file into a foreign processes 10->84 14 Product_inquiry_list,pdf.exe 10->14         started        17 Product_inquiry_list,pdf.exe 10->17         started        19 Product_inquiry_list,pdf.exe 10->19         started        signatures5 process6 signatures7 96 Modifies the context of a thread in another process (thread injection) 14->96 98 Maps a DLL or memory area into another process 14->98 100 Sample uses process hollowing technique 14->100 102 Queues an APC in another process (thread injection) 14->102 21 explorer.exe 1 6 14->21 injected process8 dnsIp9 58 www.jwebt.com 156.225.166.8, 49734, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 21->58 60 sexmilfsite.com 51.81.135.17, 49738, 49739, 49740 OVHFR United States 21->60 62 2 other IPs or domains 21->62 48 C:\Users\user\AppData\...\chkdskkbyh.exe, PE32 21->48 dropped 78 System process connects to network (likely due to code injection or exploit) 21->78 80 Benign windows process drops PE files 21->80 26 netsh.exe 1 19 21->26         started        30 chkdskkbyh.exe 1 21->30         started        32 colorcpl.exe 21->32         started        file10 signatures11 process12 file13 52 C:\Users\user\AppData\...\91Plogrv.ini, data 26->52 dropped 54 C:\Users\user\AppData\...\91Plogri.ini, data 26->54 dropped 56 C:\Users\user\AppData\...\91Plogrf.ini, data 26->56 dropped 86 Detected FormBook malware 26->86 88 Tries to steal Mail credentials (via file access) 26->88 90 Tries to harvest and steal browser information (history, passwords, etc) 26->90 94 3 other signatures 26->94 34 cmd.exe 2 26->34         started        38 cmd.exe 1 26->38         started        92 Injects a PE file into a foreign processes 30->92 40 chkdskkbyh.exe 30->40         started        signatures14 process15 file16 46 C:\Users\user\AppData\Local\Temp\DB1, SQLite 34->46 dropped 72 Tries to harvest and steal browser information (history, passwords, etc) 34->72 42 conhost.exe 34->42         started        44 conhost.exe 38->44         started        74 Modifies the context of a thread in another process (thread injection) 40->74 76 Maps a DLL or memory area into another process 40->76 signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 01:03:44 UTC
AV detection:
32 of 46 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7igmxgrtoe7vozksiqmdg4io5tjhrv4y7jblhaq4ggpg4d3wamq._file
Verdict:
malicious
Similar samples:
14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152
FormBook
1800678ba5a47f5492bd8ba441fc37c2119bf057f0856b5d32a6b066f2ae5c27
FormBook
2867fc0da53d97c9ad3291cffd683c48417f47431b36e2101c11a29ee3ae1e87
FormBook
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
FormBook
3beb95c4f83e5f7d1af897311a6cd1d8abfb04c656ca73d7f4c8db6ad6e5d150
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b1d72f54b46528f1dd2265231ea91a8dcc2a4461dc897e1f7bd8d5e915f189f2
FormBook
+ 5'232 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-k5l11nj126/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

iso 09f5060b4bd491e5e4c62e5141db6fcb0f4e6b72222bd8aa172e947ea5068fab

FormBook

Executable exe 97d0665cd19b89fabb2a9220c19b88776693c6bcc7d2159c10e18cf3707bb019

(this sample)

  
Dropped by
MD5 b58ce19cee8ea0f84d59be4ebd1223c2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29919/
  
Dropped by
SHA256 09f5060b4bd491e5e4c62e5141db6fcb0f4e6b72222bd8aa172e947ea5068fab

Comments