MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9aad58f1d569335bb140604794a5b3e2f02fd44ebbfc16e86b795b93f460e98c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9aad58f1d569335bb140604794a5b3e2f02fd44ebbfc16e86b795b93f460e98c
SHA3-384 hash: 219649c78eaf7af2e40dae809357d4bd2c865316ce0d3354f9783c9bd098ada5859411cfe2d80be9527e593908269cb8
SHA1 hash: c61bbefd13a7d0e2929a2fcfb053b2d89a3994e0
MD5 hash: 85bf9189f1220e310d0d5626d7ca286c
humanhash: florida-queen-yankee-comet
File name:img-602105445-0001.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'162'752 bytes
First seen:2020-08-05 09:20:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:VlwRrHV71kzgTc7nyz2+IBTkJpwKpwGy6iDb4Sy:VIrpegTc7nDIJpRpQfy
Threatray 5'089 similar samples on MalwareBazaar
TLSH 0335E0A43944DF9DC86E0F3078236800EBE1AE561E46F64FAC9779FC1BB514A4E1A34D
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: nsl5.hosthane.com
Sending IP: 217.116.192.24
From: MTEX NS | Printer <impressora@mtexns.com>
Subject: MTEX NS | Scan from printer
Attachment: img-602105445-0001.zip (contains "img-602105445-0001.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39325/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410792
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257711 Sample: img-602105445-0001.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 54 www.privateblockchain.loan 2->54 56 www.soontoda.com 2->56 64 Malicious sample detected (through community Yara rule) 2->64 66 Yara detected AntiVM_3 2->66 68 Yara detected FormBook 2->68 70 5 other signatures 2->70 11 img-602105445-0001.exe 3 2->11         started        signatures3 process4 file5 52 C:\Users\user\...\img-602105445-0001.exe.log, ASCII 11->52 dropped 94 Tries to detect virtualization through RDTSC time measurements 11->94 96 Injects a PE file into a foreign processes 11->96 15 img-602105445-0001.exe 11->15         started        signatures6 process7 signatures8 98 Modifies the context of a thread in another process (thread injection) 15->98 100 Maps a DLL or memory area into another process 15->100 102 Sample uses process hollowing technique 15->102 104 Queues an APC in another process (thread injection) 15->104 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 58 www.mnsruu.com 58.64.153.39, 49744, 80 NWT-AS-APASnumberforNewWorldTelephoneLtdHK Hong Kong 18->58 60 www.wwwjinsha802.com 18->60 62 www.cruisinclassicautosales.com 18->62 46 C:\Users\user\AppData\...\e0ilyv_ix-.exe, PE32 18->46 dropped 78 System process connects to network (likely due to code injection or exploit) 18->78 80 Benign windows process drops PE files 18->80 23 wlanext.exe 1 17 18->23         started        27 e0ilyv_ix-.exe 3 18->27         started        29 e0ilyv_ix-.exe 2 18->29         started        31 ipconfig.exe 18->31         started        file11 signatures12 process13 file14 48 C:\Users\user\AppData\...\40Ologrv.ini, data 23->48 dropped 50 C:\Users\user\AppData\...\40Ologri.ini, data 23->50 dropped 82 Detected FormBook malware 23->82 84 Tries to steal Mail credentials (via file access) 23->84 86 Tries to harvest and steal browser information (history, passwords, etc) 23->86 92 2 other signatures 23->92 33 cmd.exe 1 23->33         started        88 Injects a PE file into a foreign processes 27->88 35 e0ilyv_ix-.exe 27->35         started        38 e0ilyv_ix-.exe 29->38         started        40 e0ilyv_ix-.exe 29->40         started        42 e0ilyv_ix-.exe 29->42         started        90 Tries to detect virtualization through RDTSC time measurements 31->90 signatures15 process16 signatures17 44 conhost.exe 33->44         started        72 Modifies the context of a thread in another process (thread injection) 35->72 74 Maps a DLL or memory area into another process 35->74 76 Sample uses process hollowing technique 35->76 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9aad58f1d569335bb140604794a5b3e2f02fd44ebbfc16e86b795b93f460e98c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 05:32:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tkwvr4ovnezvxmkambdzjjnt4lyc7vcoxp6bn2dlpfnzh5da5gga._file
Verdict:
malicious
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
1be61c2f6e006dc35f4d81b2797d967d2a4ff04f854679d334abf13ceec8c508
FormBook
35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
FormBook
45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f
FormBook
52e01cac4f5319a7d1177aae77861b4ad8f77b26581d089e948344d0e608b80b
FormBook
ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22
FormBook
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
FormBook
dea5303370177b621cdd1fd497396ddaa9e94d3edd1407339f52f0dc85a67046
FormBook
e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
FormBook
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-ham4fm2bwe/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9aad58f1d569335bb140604794a5b3e2f02fd44ebbfc16e86b795b93f460e98c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip bc08e8d77f12b99a1fb9c7c511cc442a0ddbf5f85625e2cd6fc236e2301c9be0

FormBook

Executable exe 9aad58f1d569335bb140604794a5b3e2f02fd44ebbfc16e86b795b93f460e98c

(this sample)

  
Dropped by
MD5 44d2642b3beeccd1b11ce3a4313d6e6e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39325/
  
Dropped by
SHA256 bc08e8d77f12b99a1fb9c7c511cc442a0ddbf5f85625e2cd6fc236e2301c9be0

Comments