MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb
SHA3-384 hash: 5d5bccc670fa783d6ab0dd4c55e4c033de75f3afddf6f1cf2a531ad560bd7f0d920aa51c15e5cee78dff0b3d36d2a69e
SHA1 hash: 507fd143f005741a782f6eea9eeb19ec85cc8845
MD5 hash: 589ec2484bb55255df7c3ebbe54fb3a7
humanhash: freddie-autumn-mississippi-mango
File name:Order_Invoice2020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:781'824 bytes
First seen:2020-08-31 10:26:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash abbb4ff674d361f4d977ae3c60a46e79 (9 x MassLogger, 1 x AgentTesla, 1 x FormBook)
ssdeep 12288:iTIXTPL3db/Gm+6FgOO9gSJqvhvWZ3niGtBIi3dBsowEeMDIiWzPvZd0AYfPWkRc:g09b/Gmkg3vhuZFtBNsnE3QvZqAYfPWZ
Threatray 2'259 similar samples on MalwareBazaar
TLSH 69F4BEE3B2E04832C0A6267D9C0B57B49D25FE51FA249D462FF4ED0C5F3979138262A7
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53390/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BScope.Trojan.Kryptik.9879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
Deleting a recently created file
Launching the process to change network settings
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455222
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Delayed program exit found
Detected FormBook malware
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 279986 Sample: Order_Invoice2020.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 83 www.researchsupply.net 2->83 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus / Scanner detection for submitted sample 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 5 other signatures 2->129 15 Order_Invoice2020.exe 2->15         started        signatures3 process4 signatures5 157 Detected unpacking (changes PE section rights) 15->157 159 Writes to foreign memory regions 15->159 161 Allocates memory in foreign processes 15->161 163 4 other signatures 15->163 18 Order_Invoice2020.exe 15->18         started        21 Order_Invoice2020.exe 15->21         started        23 notepad.exe 1 15->23         started        process6 signatures7 91 Modifies the context of a thread in another process (thread injection) 18->91 93 Maps a DLL or memory area into another process 18->93 95 Sample uses process hollowing technique 18->95 25 explorer.exe 5 18->25 injected 29 Order_Invoice2020.exe 21->29         started        97 Drops VBS files to the startup folder 23->97 99 Delayed program exit found 23->99 process8 dnsIp9 85 www.worldmonex.com 25->85 87 www.premiumgradeliving.com 25->87 89 parkingpage.namecheap.com 198.54.117.218, 49729, 80 NAMECHEAP-NETUS United States 25->89 143 System process connects to network (likely due to code injection or exploit) 25->143 31 wscript.exe 1 25->31         started        33 cmd.exe 1 17 25->33         started        37 raserver.exe 25->37         started        45 3 other processes 25->45 145 Writes to foreign memory regions 29->145 147 Allocates memory in foreign processes 29->147 149 Maps a DLL or memory area into another process 29->149 39 Order_Invoice2020.exe 29->39         started        41 notepad.exe 29->41         started        43 Order_Invoice2020.exe 29->43         started        signatures10 process11 file12 47 Order_Invoice2020.exe 31->47         started        77 C:\Users\user\AppData\...\L9Ologrv.ini, data 33->77 dropped 79 C:\Users\user\AppData\...\L9Ologri.ini, data 33->79 dropped 101 Detected FormBook malware 33->101 103 Creates an undocumented autostart registry key 33->103 105 Tries to steal Mail credentials (via file access) 33->105 107 Tries to harvest and steal browser information (history, passwords, etc) 33->107 50 cmd.exe 1 33->50         started        109 Tries to detect virtualization through RDTSC time measurements 37->109 111 Modifies the context of a thread in another process (thread injection) 39->111 113 Maps a DLL or memory area into another process 39->113 115 Sample uses process hollowing technique 39->115 signatures13 process14 signatures15 165 Writes to foreign memory regions 47->165 167 Allocates memory in foreign processes 47->167 169 Maps a DLL or memory area into another process 47->169 52 Order_Invoice2020.exe 47->52         started        54 Order_Invoice2020.exe 47->54         started        57 notepad.exe 1 47->57         started        59 conhost.exe 50->59         started        process16 signatures17 61 Order_Invoice2020.exe 52->61         started        131 Modifies the context of a thread in another process (thread injection) 54->131 133 Maps a DLL or memory area into another process 54->133 135 Sample uses process hollowing technique 54->135 process18 signatures19 151 Writes to foreign memory regions 61->151 153 Allocates memory in foreign processes 61->153 155 Maps a DLL or memory area into another process 61->155 64 Order_Invoice2020.exe 61->64         started        66 Order_Invoice2020.exe 61->66         started        69 notepad.exe 1 61->69         started        process20 signatures21 71 Order_Invoice2020.exe 64->71         started        117 Modifies the context of a thread in another process (thread injection) 66->117 119 Maps a DLL or memory area into another process 66->119 121 Sample uses process hollowing technique 66->121 process22 signatures23 137 Writes to foreign memory regions 71->137 139 Allocates memory in foreign processes 71->139 141 Maps a DLL or memory area into another process 71->141 74 notepad.exe 71->74         started        process24 file25 81 C:\Users\user\AppData\Roaming\...\INV2020.vbs, ASCII 74->81 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 17:51:26 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=trjrkqe4ttfr45azlyseuf2tc6a3s47z6sexinqcygfk6wrc475q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
trickbot
Create hunting rule
Similar samples:
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
FormBook
1e82d551bb0693edad6a527c0355b59476d25afc326168b616205fe186ca5a30
FormBook
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
FormBook
3876672f635e0e9854a9cd990389b11934612d1e1b6efc4948bfcda1b8759290
FormBook
46c1beb680fee0894d6a58d53ee86faeb9dfa24db88f178580dfbd1385e4c581
FormBook
567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc
FormBook
70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54
FormBook
887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
FormBook
+ 2'249 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200831-3p58a5vz3e/
Behaviour
Enumerates system info in registry
Gathers network information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads user/profile data of web browsers
Formbook Payload
ServiceHost packer
Formbook
Malware Config
C2 Extraction:
http://�ƒQi�\��|�-������^��Q�
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c5315409c9ccb1e74195e244a17531781b973f9f489743602c18aaf5a22e7fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53390/

Comments