MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a
SHA3-384 hash: d8080de5a68cd50b26f42ab3dd92dce7f9cb672b84fc759d68013bf539245044d1e04e0d003add2ce5490b30af30ca8d
SHA1 hash: 8df9332fa5a2b6edda402bf7166c6e75aeec067e
MD5 hash: b4b3fbfadde9718aa8692c7d8555f061
humanhash: quiet-dakota-march-island
File name:sUTALbn2dAsykA1.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:753'664 bytes
First seen:2020-07-20 08:23:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:3utu1q9I6/kldSCGDyaod+ik4g8y3SoD0iZI/ZNDOuLA0Xcc46HsV:3utuOPW2rEloD0hBNiuc6T/MV
Threatray 5'377 similar samples on MalwareBazaar
TLSH A1F4E0C9ABA45404C6ED3FF55E628A754334BC09F5F2930F2FC0B89B297A792D854362
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dongsonvina.co
Sending IP: 111.90.145.114
From: Rosa Nuviela <Rosa@hysic.co>
Subject: RE: ***URGENT ORDER *****
Attachment: ORDER_2020.rar (contains "sUTALbn2dAsykA1.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28812/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.18019.8386.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391072
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247862 Sample: sUTALbn2dAsykA1.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 59 www.jsrivet.com 2->59 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Sigma detected: Scheduled temp file as task from temp location 2->73 75 7 other signatures 2->75 11 sUTALbn2dAsykA1.exe 5 2->11         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\STGtLPCZNfZgt.exe, PE32 11->43 dropped 45 C:\...\STGtLPCZNfZgt.exe:Zone.Identifier, ASCII 11->45 dropped 47 C:\Users\user\AppData\Local\...\tmpD3B8.tmp, XML 11->47 dropped 49 C:\Users\user\...\sUTALbn2dAsykA1.exe.log, ASCII 11->49 dropped 81 Tries to detect virtualization through RDTSC time measurements 11->81 15 sUTALbn2dAsykA1.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 91 Modifies the context of a thread in another process (thread injection) 15->91 93 Maps a DLL or memory area into another process 15->93 95 Sample uses process hollowing technique 15->95 97 Queues an APC in another process (thread injection) 15->97 20 explorer.exe 1 6 15->20 injected 25 conhost.exe 18->25         started        process9 dnsIp10 61 melvinmelendezjr.com 160.153.136.3, 49735, 80 GODADDY-AMSDE United States 20->61 63 just4ubling.com 184.168.131.241, 49739, 49740, 49741 AS-26496-GO-DADDY-COM-LLCUS United States 20->63 65 2 other IPs or domains 20->65 41 C:\Users\user\AppData\Local\...\dvedhrq.exe, PE32 20->41 dropped 77 System process connects to network (likely due to code injection or exploit) 20->77 79 Benign windows process drops PE files 20->79 27 WWAHost.exe 1 19 20->27         started        file11 signatures12 process13 file14 51 C:\Users\user\AppData\...\96Rlogrv.ini, data 27->51 dropped 53 C:\Users\user\AppData\...\96Rlogri.ini, data 27->53 dropped 55 C:\Users\user\AppData\...\96Rlogrf.ini, data 27->55 dropped 83 Detected FormBook malware 27->83 85 Tries to steal Mail credentials (via file access) 27->85 87 Tries to harvest and steal browser information (history, passwords, etc) 27->87 89 3 other signatures 27->89 31 cmd.exe 2 27->31         started        35 cmd.exe 1 27->35         started        signatures15 process16 file17 57 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->57 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 31->67 37 conhost.exe 31->37         started        39 conhost.exe 35->39         started        signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 08:24:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgqquxh3oigw35e6ssysun6vvdc4iyzydmyzy3yyxfgpfaxcaina._file
Verdict:
malicious
Similar samples:
08fd08ac92e87f077dfa77ab5cbe48dccb7ffc87cd338a6451b884d42fa6306b
FormBook
1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a
FormBook
3de57656bc920af6ada5c995391e33546524ec7acd4e9182364dfcaf84b3b8a3
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
77be23825e937be7c4e100dd70233848523702b85fe2c5e622aa383748ac8e8a
FormBook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
FormBook
c29ba90d51de3251d2d6f890bf889bd2772c2e375c7df46b25968ae2b1cce5f8
FormBook
cfc1cfcb5119cb196b34e5905578d55e2afd871f2b93f820637e6386168892c5
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e9962b81f738c0cc9c36497cc2be1c15d5a052e058e2db82a728ca1f55ba2be5
FormBook
+ 5'367 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200720-aemxxw8ps6/
Behaviour
Suspicious use of FindShellTrayWindow
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar ef94bcb812cfbdd8417be49ddf7e5f65d5a545633a7b65f55bb5fbb1301c1c12

FormBook

Executable exe a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a

(this sample)

  
Dropped by
MD5 1fb6df7c4f40a3affb138e593a8005ba
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28812/
  
Dropped by
SHA256 ef94bcb812cfbdd8417be49ddf7e5f65d5a545633a7b65f55bb5fbb1301c1c12

Comments