MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad59712708ccd592bf4b101a377090c0955a7d954a444cb0c2bee0385796fdfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad59712708ccd592bf4b101a377090c0955a7d954a444cb0c2bee0385796fdfe
SHA3-384 hash: 8ca995fa246013831f0f5f73c4951bbf53858a52bd36c7ef779ef2c8c1f899ee8c0ac554fbbba028d1d0c67d64d20435
SHA1 hash: 7c0aa8da13c1d729df1a88574f7134c370642250
MD5 hash: 356dc165ade26a28c0fa934c899fcbee
humanhash: carolina-utah-stream-iowa
File name:VS-22072020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:462'336 bytes
First seen:2020-07-22 07:23:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ltjcIjVsSI92iNotPK7CZ0ekTEyILqMUKXIrfi:/Vsh91MJaekT9M5X
Threatray 5'666 similar samples on MalwareBazaar
TLSH 5FA44703EFB036D9DB5446B7E025114C576A6D1E7FEAE20B5B9DF098CA32B404327E26
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dongsonvina.co
Sending IP: 111.90.145.70
From: JUAN URBANO <grencia@cementoscauca.com.co>
Reply-To: vlinks.myt@hotmail.com
Subject: Attached drawing for quotation
Attachment: VS-22072020.rar (contains "VS-22072020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30866/
Detection(s):
SecuriteInfo.com.LuheFihaA.16844.28878.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394588
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249708 Sample: VS-22072020.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 61 www.newsletter-drspoc.com 2->61 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Sigma detected: Scheduled temp file as task from temp location 2->73 75 6 other signatures 2->75 11 VS-22072020.exe 7 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\wTTzTJTrPjpxb.exe, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmpB9F7.tmp, XML 11->51 dropped 53 C:\Users\user\AppData\...\VS-22072020.exe.log, ASCII 11->53 dropped 83 Tries to detect virtualization through RDTSC time measurements 11->83 85 Injects a PE file into a foreign processes 11->85 15 VS-22072020.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 VS-22072020.exe 11->20         started        signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 Queues an APC in another process (thread injection) 15->101 22 explorer.exe 1 6 15->22 injected 27 conhost.exe 18->27         started        process9 dnsIp10 63 www.aljawahir.net 46.30.215.212, 49739, 80 ONECOMDK Denmark 22->63 65 www.newsletter-drspoc.com 22->65 67 www.jesseaustenwilliams.com 22->67 47 C:\Users\user\AppData\...\m8tp9zwkhld0x.exe, PE32 22->47 dropped 79 System process connects to network (likely due to code injection or exploit) 22->79 81 Benign windows process drops PE files 22->81 29 ipconfig.exe 1 19 22->29         started        33 autoconv.exe 22->33         started        file11 signatures12 process13 file14 55 C:\Users\user\AppData\...\81Mlogrv.ini, data 29->55 dropped 57 C:\Users\user\AppData\...\81Mlogri.ini, data 29->57 dropped 59 C:\Users\user\AppData\...\81Mlogrf.ini, data 29->59 dropped 87 Detected FormBook malware 29->87 89 Tries to steal Mail credentials (via file access) 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 93 3 other signatures 29->93 35 cmd.exe 2 29->35         started        39 cmd.exe 1 29->39         started        signatures15 process16 file17 45 C:\Users\user\AppData\Local\Temp\DB1, SQLite 35->45 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 35->77 41 conhost.exe 35->41         started        43 conhost.exe 39->43         started        signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad59712708ccd592bf4b101a377090c0955a7d954a444cb0c2bee0385796fdfe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 05:08:54 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvmxcjyiztkzfp2lcando4eqyckvu7mvjjcezmgcx3qdqv4w7x7a._file
Verdict:
malicious
Similar samples:
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
FormBook
476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
FormBook
49aaf4ae6bf7f60a07c4ffc43ca0be27fce694446436dd07aac5db362142c2c8
FormBook
75fc0beb16fbe8af2f46d2cfcb7176af4289430516d74017d1a32cd0c37859c0
FormBook
80c2d3e3f00d60ab27069ab1d911bbccadd2ba38df47c098d1efc2a0092ff320
FormBook
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
FormBook
afd354c93f9c9ad2324dd4ecd1e58041f373f1b3360ef8ce2792e437bd104a8d
FormBook
d5dd3977cdc2602a68093c08e166b1508253ef0934f986d00be980e47b7c50f9
FormBook
dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b
FormBook
f8a0ada1c983c16a3ff6b107c2a04cac970e51ba9bec2514771271af03b7b9fc
FormBook
+ 5'656 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200722-qlp1varmx2/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
System policy modification
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad59712708ccd592bf4b101a377090c0955a7d954a444cb0c2bee0385796fdfe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 00da2e37319683a1580f3723069510d2e9576ed65f02474860cf0f9c6cef8889

FormBook

Executable exe ad59712708ccd592bf4b101a377090c0955a7d954a444cb0c2bee0385796fdfe

(this sample)

  
Dropped by
MD5 fbf459a59c8885cffc1f4b6dc499af32
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 00da2e37319683a1580f3723069510d2e9576ed65f02474860cf0f9c6cef8889
Cape
Cape
https://www.capesandbox.com/analysis/30866/

Comments