MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3
SHA3-384 hash: aef6e98c8a1cbe331684ecbd196582eb55559aabc5cfc3fee39a4bbd738fcfb6a4a6e087af372637dfc21f0eda1292d4
SHA1 hash: 3849afd0fe9717b89ecb4b135e373b8bfc6eec24
MD5 hash: 9fa8ea5fde3bee57cf5b20e31db1c7ff
humanhash: steak-pennsylvania-sweet-pasta
File name:NEW ORDER.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:473'088 bytes
First seen:2020-07-21 07:36:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:bMHzziqJCSyRw6TB2EGK46h3I6eQRAMDKvN/CXxfUkyt8ppvx8/aXA:4uLAkY6Y+KvNaXxDyGtx8MA
Threatray 4'965 similar samples on MalwareBazaar
TLSH 0FA46B50D7F88AD9E3BA17BDE470004087B4B51AA7EAE7492B91F0ED1C227518B13F67
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: fre.freespirittours.ge
Sending IP: 192.254.140.61
From: executive@freespirittours.net
Subject: RE:PROFORMA INVOICE
Attachment: NEW ORDER.rar (contains "NEW ORDER.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29818/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392759
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248630 Sample: NEW ORDER.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 60 www.techvestorsmultifamily.com 2->60 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 76 8 other signatures 2->76 11 NEW ORDER.exe 9 2->11         started        signatures3 process4 file5 54 C:\Users\user\AppData\...\ebQNpuFYSisyD.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\...\tmp996C.tmp, XML 11->56 dropped 58 C:\Users\user\AppData\...58EW ORDER.exe.log, ASCII 11->58 dropped 14 RegSvcs.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 90 Modifies the context of a thread in another process (thread injection) 14->90 92 Maps a DLL or memory area into another process 14->92 94 Sample uses process hollowing technique 14->94 96 2 other signatures 14->96 19 explorer.exe 1 6 14->19 injected 24 conhost.exe 17->24         started        process8 dnsIp9 62 www.whyisaaroncaldwellsodamnhot.com 85.13.151.109, 49738, 80 NMM-ASD-02742FriedersdorfHauptstrasse68DE Germany 19->62 64 www.nhchangxing.com 172.80.66.107, 49742, 49743, 49744 ESITEDUS United States 19->64 66 www.mr133.com 199.59.242.150, 49745, 49746, 49747 BODIS-NJUS United States 19->66 46 C:\Users\user\AppData\...\autochkrnsprr5p.exe, PE32 19->46 dropped 78 System process connects to network (likely due to code injection or exploit) 19->78 80 Benign windows process drops PE files 19->80 26 netsh.exe 1 19 19->26         started        30 autochkrnsprr5p.exe 2 19->30         started        file10 signatures11 process12 file13 48 C:\Users\user\AppData\...\79Llogrv.ini, data 26->48 dropped 50 C:\Users\user\AppData\...\79Llogri.ini, data 26->50 dropped 52 C:\Users\user\AppData\...\79Llogrf.ini, data 26->52 dropped 82 Detected FormBook malware 26->82 84 Tries to steal Mail credentials (via file access) 26->84 86 Tries to harvest and steal browser information (history, passwords, etc) 26->86 88 3 other signatures 26->88 32 cmd.exe 2 26->32         started        36 cmd.exe 1 26->36         started        38 conhost.exe 30->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 32->68 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:38:08 UTC
AV detection:
32 of 46 (69.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uth4g4k375o7jojqvx6un3njovtgzl7l2xstreigqd2e2ecrocrq._file
Verdict:
malicious
Similar samples:
4bb9adda0e9ea445a320f71cf0c7c8a9ce3e4d07faf8ac834674746947e50bc8
FormBook
5df080a145c2dd20f01dcb463efbc7fc1fc1c5bb61567b972c8b4ceb62338088
FormBook
671759b97f6889b6732fb377b5af7ccc9df5e8769c2aa07a371caab68c5639fd
FormBook
8ee4be1165d1e195defb89faee6746304f38293aac4f59d332408e3bff243822
FormBook
92d2689159c5984751e67f61486e25a8f66921d372249af5ac22078cf22c8be9
FormBook
946cdeba80da84a83af805ec82e7f07819ed853356d1d546be0c5ac28b5f70d4
FormBook
9f56641fa34365d546b70d51aa82899b863a4781a3e51f6e78c62fa198472a79
FormBook
a78239b17de3eac55e5fcbeceefdd2fe78f76888a2639f54024232b4dcda394c
FormBook
ac0b86bf664770295ad2de9a46edabc374040a467471a61fdac436d52e451964
FormBook
da7ce8060ef04b847aeb11d727b9d8fad9526dc3314adce4ffa5e0b597ac5547
FormBook
+ 4'955 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200721-pecbjjftzj/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 4be43a81a57f99ed8b389643a5c20b4e9a9eee1c64fcec819567606622e8d709

FormBook

Executable exe a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3

(this sample)

  
Dropped by
MD5 bc6765e3b8ebd67cb901ff1dc7a2e865
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29818/
  
Dropped by
SHA256 4be43a81a57f99ed8b389643a5c20b4e9a9eee1c64fcec819567606622e8d709

Comments