MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a72d19bc0c550d6ac3e8e6ef34bf507091219e72091a76bb7d1950848d4837b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a72d19bc0c550d6ac3e8e6ef34bf507091219e72091a76bb7d1950848d4837b7
SHA3-384 hash: 1e51a3c8b4f5ac1a2d743450fe1eb51134fd32a6ca7689735290e89fbc9a6ba25900db0cf3e33c960ab2189144903a2f
SHA1 hash: 11798c85968e14821ef831c20a28d1748b894640
MD5 hash: 441d11556e98852e9cd720a2a04e4b74
humanhash: bakerloo-michigan-mango-william
File name:INQUIRY AND CATALOGS.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:707'072 bytes
First seen:2020-07-24 22:21:38 UTC
Last seen:2020-07-27 14:22:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 858a931c79a9e89ac12e565a67a29a38 (1 x FormBook, 1 x AgentTesla, 1 x RemcosRAT)
ssdeep 6144:U80f3pkFSe7UKpTR+kzz+quCQS6Xde1DjwcjJl5ILfRPHD8xTde0sGNOGWy3tCIR:n0f5kFb4nCjrJlDdFsG9JApKfdjBkx6
Threatray 4'971 similar samples on MalwareBazaar
TLSH A3E4B076E6D14433C123267D9C0B976CA83ABF10296919876FE91C4DAF6B3C2743B187
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32300/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397765
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 251061 Sample: INQUIRY AND CATALOGS.exe Startdate: 25/07/2020 Architecture: WINDOWS Score: 100 60 www.regulars7.info 2->60 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 9 other signatures 2->76 11 INQUIRY AND CATALOGS.exe 2->11         started        signatures3 process4 signatures5 94 Maps a DLL or memory area into another process 11->94 14 INQUIRY AND CATALOGS.exe 11->14         started        process6 signatures7 96 Modifies the context of a thread in another process (thread injection) 14->96 98 Maps a DLL or memory area into another process 14->98 100 Sample uses process hollowing technique 14->100 102 Queues an APC in another process (thread injection) 14->102 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 54 960482.com 154.211.42.125, 49739, 49740, 49741 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 17->54 56 www.tiexiancao.com 47.52.89.99, 49735, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 17->56 58 www.960482.com 17->58 46 C:\Users\user\AppData\...\tt7tfrlhpwthh.exe, PE32 17->46 dropped 78 System process connects to network (likely due to code injection or exploit) 17->78 80 Benign windows process drops PE files 17->80 22 ipconfig.exe 1 19 17->22         started        26 tt7tfrlhpwthh.exe 17->26         started        28 systray.exe 17->28         started        30 2 other processes 17->30 file10 signatures11 process12 file13 48 C:\Users\user\AppData\...\42Rlogrv.ini, data 22->48 dropped 50 C:\Users\user\AppData\...\42Rlogri.ini, data 22->50 dropped 52 C:\Users\user\AppData\...\42Rlogrf.ini, data 22->52 dropped 82 Detected FormBook malware 22->82 84 Tries to steal Mail credentials (via file access) 22->84 86 Tries to harvest and steal browser information (history, passwords, etc) 22->86 88 Modifies the context of a thread in another process (thread injection) 22->88 32 cmd.exe 2 22->32         started        36 cmd.exe 1 22->36         started        90 Maps a DLL or memory area into another process 26->90 38 tt7tfrlhpwthh.exe 26->38         started        92 Tries to detect virtualization through RDTSC time measurements 28->92 signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 62 Tries to harvest and steal browser information (history, passwords, etc) 32->62 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        64 Modifies the context of a thread in another process (thread injection) 38->64 66 Maps a DLL or memory area into another process 38->66 68 Sample uses process hollowing technique 38->68 signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a72d19bc0c550d6ac3e8e6ef34bf507091219e72091a76bb7d1950848d4837b7/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 22:21:13 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4wrtpamkugwvq7i43xtjp2qocisdhtsbenhno35dfiijdkig63q._file
Verdict:
malicious
Similar samples:
12b43ed89fe65ad92c68c63b0dffa2d821ef5d1e506762f9a1c281ca624fd964
FormBook
3c15d1bb32d82a136a76d6e8867506dc2cc12cc183ed5a5c79335cb569e7d52c
FormBook
5477643235b833aa541ecdc02ee302b141a306c8ab01b08341341f4a2fb20341
FormBook
55fda8fe5169419bcbdfa68e712b378085ddd86638e0f84e50e6b6f43cf19334
FormBook
8dceaa57045b4d03ea1f58bb2c82c4d4887dd74ca78bc114c1bc7bdf937e680d
FormBook
af184a7fb7527ba844dd1daf8ac3aa67d80f11497d6b7509b23d406917fc3935
FormBook
b0ae66cd2296539cdeb9f833ff7ebc3616cda6d8068d1883e27a04c9240d0d3f
FormBook
c7735f6ac2f05ee86942e0d7432cedecd7aa0cefd8d706e300b5bd0de9acb40d
FormBook
c8cef19967cb820d5e92f85a17ebf98f631de62c9760b1eb1a790cb25961e356
FormBook
e257a0a26f932ddedd2134e0a56eadc8c19d03049c7c6d9b7d3ca93720106b91
FormBook
+ 4'961 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200724-bamawayz4n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/a72d19bc0c550d6ac3e8e6ef34bf507091219e72091a76bb7d1950848d4837b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/32300/

Comments