MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59
SHA3-384 hash: 4d8a6a7351c5cf5029e2817954a0692ffc98d8f071f3f9ff36bb37480f9422b8b1ac360a9dfe579e7c93c47a8aca384e
SHA1 hash: 169201987747f2df0f7651955ab649006ef9f0c8
MD5 hash: f872b350d8590d30cf26bf34b1aea5d8
humanhash: september-artist-lake-mexico
File name:Pago00763422.Scan.pdf..exe
Download: download sample
Signature FormBook
Create hunting rule
File size:400'896 bytes
First seen:2020-08-05 15:19:47 UTC
Last seen:2020-08-05 16:11:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ofD/8D8PggpPXtF86XkW5esrOuVbhw38EFQeo3Ocz5R4xL909YVL6:ofD/8DKggJXtF3v1dEFEh528SL6
Threatray 5'235 similar samples on MalwareBazaar
TLSH FD849D9EAA76A737E70DF57954A1C1B0C7C9ED31B43AD0D22CC57C9B32EBA1508BA500
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: jace.com
Sending IP: 45.127.62.110
From: David Díaz <madie@nisuysa.xyz>
Subject: RE: RE: Pago
Attachment: Pago00763422.Scan.pdf.rar (contains "Pago00763422.Scan.pdf..exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39757/
Detection(s):
SecuriteInfo.com.Generic.mg.f872b350d8590d30.1712.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411506
Signature
Benign windows process drops PE files
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 258072 Sample: Pago00763422.Scan.pdf..exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 53 www.trancus.com 2->53 59 Malicious sample detected (through community Yara rule) 2->59 61 Yara detected FormBook 2->61 63 Machine Learning detection for sample 2->63 65 4 other signatures 2->65 11 Pago00763422.Scan.pdf..exe 2 2->11         started        signatures3 process4 signatures5 81 Tries to detect virtualization through RDTSC time measurements 11->81 14 Pago00763422.Scan.pdf..exe 11->14         started        process6 signatures7 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 17 explorer.exe 4 6 14->17 injected process8 dnsIp9 47 www.it-globalservice.net 104.31.82.78, 49735, 80 CLOUDFLARENETUS United States 17->47 49 www.yourplace4cbd.com 17->49 51 2 other IPs or domains 17->51 41 C:\Users\user\AppData\...\config7nfp.exe, PE32 17->41 dropped 67 System process connects to network (likely due to code injection or exploit) 17->67 69 Benign windows process drops PE files 17->69 22 cmstp.exe 1 17 17->22         started        26 config7nfp.exe 2 17->26         started        28 config7nfp.exe 2 17->28         started        30 WWAHost.exe 17->30         started        file10 signatures11 process12 file13 43 C:\Users\user\AppData\...\K12logrv.ini, data 22->43 dropped 45 C:\Users\user\AppData\...\K12logri.ini, data 22->45 dropped 71 Detected FormBook malware 22->71 73 Tries to steal Mail credentials (via file access) 22->73 75 Tries to harvest and steal browser information (history, passwords, etc) 22->75 79 3 other signatures 22->79 32 cmd.exe 1 22->32         started        77 Injects a PE file into a foreign processes 26->77 34 config7nfp.exe 26->34         started        37 config7nfp.exe 28->37         started        signatures14 process15 signatures16 39 conhost.exe 32->39         started        55 Modifies the context of a thread in another process (thread injection) 37->55 57 Maps a DLL or memory area into another process 37->57 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 15:21:06 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ugwyx7omahb3lh6ott34j2trn5dmlzlc2h573jtdua74wozb7rmq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
08c04f257dbf34e406e95901c084a0f00efd77ab0bb4d03ba228ecb3f9260d7e
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9
FormBook
8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce
FormBook
a777ab5f9fd6e6aa4f4d70b5168f4358c849f3ab461a3d15d315c83fe351272d
FormBook
c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
fc7f170e0b18f35f5d150ec384f7d7db8cd790bdac22d469424515225ab30658
FormBook
+ 5'225 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200805-92xvnw9ara/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 110fb6b65aa79d7c1da38f158fcd3c72b803611c50f8c50039404444985bf41b

FormBook

Executable exe a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59

(this sample)

  
Dropped by
MD5 74c735b4d123d8b21e3e834d1e2b429e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 110fb6b65aa79d7c1da38f158fcd3c72b803611c50f8c50039404444985bf41b
Cape
Cape
https://www.capesandbox.com/analysis/39757/

Comments