MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d
SHA3-384 hash: 2cbce766258727e72aac8672120003d26ff98141b00cd71ed41ea99b2b4c69ce0e32a4b1b66f83ce1da4578d3a4a6665
SHA1 hash: 7426f37baa1d4f1afb83b177c73b51cdcf49d928
MD5 hash: 4914f1642300fb234c607595a5786a57
humanhash: oscar-six-iowa-early
File name:Order Confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:288'256 bytes
First seen:2020-07-22 14:26:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:PeHpd3Sp5x/ZI0qKaD4iwjcV+OCYwFi6JRP5crIxkfI1Vr:Pipd3qz/E/Dz1VRZoxfxmI
Threatray 2'287 similar samples on MalwareBazaar
TLSH 1B54C0AE13C84467E7DFCFBAD262035543F5588D3101EBCE7A94F4985A8D34B9322A8D
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31222/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.45022.7722.2460.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/395170
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249914 Sample: Order Confirmation.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 92 www.alexandriarogers.com 2->92 94 alexandriarogers.com 2->94 128 Malicious sample detected (through community Yara rule) 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 7 other signatures 2->134 13 Order Confirmation.exe 4 2->13         started        signatures3 process4 file5 84 C:\Users\user\s.exe, PE32 13->84 dropped 86 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 13->86 dropped 88 C:\Users\user\s.exe:Zone.Identifier, ASCII 13->88 dropped 162 Maps a DLL or memory area into another process 13->162 164 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->164 17 Order Confirmation.exe 1 13->17         started        20 RegAsm.exe 13->20         started        22 RegAsm.exe 13->22         started        signatures6 process7 signatures8 102 Maps a DLL or memory area into another process 17->102 24 Order Confirmation.exe 1 17->24         started        27 RegAsm.exe 17->27         started        104 Modifies the context of a thread in another process (thread injection) 20->104 106 Sample uses process hollowing technique 20->106 108 Queues an APC in another process (thread injection) 20->108 29 explorer.exe 1 6 20->29 injected 110 Tries to detect virtualization through RDTSC time measurements 22->110 process9 dnsIp10 142 Maps a DLL or memory area into another process 24->142 33 Order Confirmation.exe 24->33         started        36 RegAsm.exe 24->36         started        144 Modifies the context of a thread in another process (thread injection) 27->144 146 Sample uses process hollowing technique 27->146 96 www.xinyinwuwang.com 47.94.81.57, 49720, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 29->96 98 www.woratime.com 29->98 100 www.illuminationspainting.net 29->100 90 C:\Users\user\AppData\...\autochkc84tibm.exe, PE32 29->90 dropped 148 System process connects to network (likely due to code injection or exploit) 29->148 150 Benign windows process drops PE files 29->150 38 WWAHost.exe 1 19 29->38         started        41 control.exe 29->41         started        43 chkdsk.exe 29->43         started        45 5 other processes 29->45 file11 signatures12 process13 file14 112 Maps a DLL or memory area into another process 33->112 47 Order Confirmation.exe 33->47         started        50 RegAsm.exe 33->50         started        114 Modifies the context of a thread in another process (thread injection) 36->114 116 Sample uses process hollowing technique 36->116 78 C:\Users\user\AppData\...\7PRlogrv.ini, data 38->78 dropped 80 C:\Users\user\AppData\...\7PRlogri.ini, data 38->80 dropped 82 C:\Users\user\AppData\...\7PRlogrf.ini, data 38->82 dropped 118 Detected FormBook malware 38->118 120 Tries to steal Mail credentials (via file access) 38->120 122 Creates autostart registry keys with suspicious names 38->122 124 Tries to harvest and steal browser information (history, passwords, etc) 38->124 52 cmd.exe 38->52         started        55 cmd.exe 1 38->55         started        126 Tries to detect virtualization through RDTSC time measurements 41->126 57 conhost.exe 45->57         started        signatures15 process16 file17 166 Maps a DLL or memory area into another process 47->166 59 Order Confirmation.exe 47->59         started        62 RegAsm.exe 47->62         started        168 Modifies the context of a thread in another process (thread injection) 50->168 170 Sample uses process hollowing technique 50->170 76 C:\Users\user\AppData\Local\Temp\DB1, SQLite 52->76 dropped 172 Tries to harvest and steal browser information (history, passwords, etc) 52->172 64 conhost.exe 52->64         started        66 conhost.exe 55->66         started        signatures18 process19 signatures20 156 Maps a DLL or memory area into another process 59->156 68 Order Confirmation.exe 59->68         started        71 RegAsm.exe 59->71         started        158 Modifies the context of a thread in another process (thread injection) 62->158 160 Sample uses process hollowing technique 62->160 process21 signatures22 136 Maps a DLL or memory area into another process 68->136 73 RegAsm.exe 68->73         started        138 Modifies the context of a thread in another process (thread injection) 71->138 140 Sample uses process hollowing technique 71->140 process23 signatures24 152 Modifies the context of a thread in another process (thread injection) 73->152 154 Maps a DLL or memory area into another process 73->154
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 11:33:51 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhskk7ufzndtoaughwabu6fphrhceswhbpspfguzv2psim6aysgq._file
Verdict:
malicious
Similar samples:
387119236c9bd4c60215cab8efae3cdd16a0fe9906d83016b2dc8ee425fad40d
Formbook
5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff
Formbook
714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
Formbook
7da1749d927d6d2f4f8175bb1cef8c4a92793b107d24d661d83bd55c57e83df8
Formbook
8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2
Formbook
9b861daa0a7b4276df89a7ec49d2dd3388366ad60a3058df70525313799a0d05
Formbook
c79a75bdb7f50439434aef1de18f5eaa857b9c0affd00f8e40ef85348df6cf57
Formbook
d0604fe76ff35e2311825f1822171208bd472c764dfbdbf45e20fad47f6a4472
Formbook
d524551cdd54b82c03f7121e7ff86cd4b2f79a524d886be9adb3f281793865f9
Formbook
fe3306e3cb623199393790e95304cf4d0a24ce092ed2c5c82b48658e987fa56c
Formbook
+ 2'277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200722-938yqyts1s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Gathers network information
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9e4a57e85cb473702863d801a78af3c4e224ac70be4f29a99ae9f2433c0c48d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/31222/

Comments