MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad5f1470fa21e384ec2d051aa602a8bf7c7f0cfb6c2926f7a55c5ad7038e9d07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad5f1470fa21e384ec2d051aa602a8bf7c7f0cfb6c2926f7a55c5ad7038e9d07
SHA3-384 hash: f49cc29e1ea0a67fa4a98dacdcedd1373b27c835d69ac72b32495bd07dd3805ad592f85366251112bdc52c95ed64d4f0
SHA1 hash: f610d0da74125a54a0ac643acf0141c1958a4d91
MD5 hash: 600ad95284ab7e6b7ca57671716c17b2
humanhash: colorado-july-hydrogen-india
File name:Document9773902_635421_.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:428'032 bytes
First seen:2020-08-10 09:27:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:QFyk456BEkMlKnjlMNsHIQ+ivJ2LKPyL33wa:eq6MlIDHIxivJNSH
Threatray 3'013 similar samples on MalwareBazaar
TLSH 33947C3A31C28028C03546B4D4AD6AC79E747FE937908A5EA7DB53085F13E6BBB1521F
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: smtp2.hiworks.co.kr
Sending IP: 121.254.168.210
From: 강정활 <jhk@koreco.net>
Reply-To: "강정활" <jhk@koreco.net>
Subject: WIRE TRANSFER
Attachment: Document9773902_635421_.lzh (contains "Document9773902_635421_.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42593/
Detection(s):
Win.Malware.Formbook-7399661-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/416625
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Sigma detected: Add file from suspicious location to autostart registry
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260633 Sample: Document9773902_635421_.exe Startdate: 10/08/2020 Architecture: WINDOWS Score: 60 32 Malicious sample detected (through community Yara rule) 2->32 34 Yara detected FormBook 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 2 other signatures 2->38 7 Document9773902_635421_.exe 7 2->7         started        11 bin.exe 2 2->11         started        13 pcalua.exe 1 2->13         started        15 pcalua.exe 1 1 2->15         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 7->26 dropped 28 C:\Users\...\Document9773902_635421_.exe.log, ASCII 7->28 dropped 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->30 dropped 42 Drops PE files to the startup folder 7->42 17 cmd.exe 1 7->17         started        19 bin.exe 3 7->19         started        signatures5 process6 process7 21 reg.exe 1 1 17->21         started        24 conhost.exe 17->24         started        signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 21->40
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ad5f1470fa21e384ec2d051aa602a8bf7c7f0cfb6c2926f7a55c5ad7038e9d07/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 09:29:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvpri4h2ehryj3bnaunkmavix56h6dh3nqusn55flrnnoa4otudq._file
Verdict:
malicious
Similar samples:
07f7b852dc1cd3c5527fef6c09019b723a9e17ddc6b236c16e992784940b7a81
Formbook
129d2b74553bc4da544e243a8e44cb7caf3b446ba23a32ed7279fe2dfeae9878
Formbook
13e11d298269b106ef9529e7cd3c659bc59b4acb040f521a682f55e49c4ae7a9
Formbook
1e82d551bb0693edad6a527c0355b59476d25afc326168b616205fe186ca5a30
Formbook
5bd5a94befaf51c0702273d144aa5d31fc88e7f677ea33ea98408450e1b535d7
Formbook
6cc43dcf0639d2b657784294b64c28b81daa90b4385e027a81015cc81f664953
Formbook
70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54
Formbook
85f9c52380c96ddf3aa66361640a6a6232a182d5d4437de8a3585fa0d216ebc4
Formbook
887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45
Formbook
e224e30554ce3a83c6ef2ca1c81b50ca377486f55bed19078658578bbef844f0
Formbook
+ 3'003 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200810-61td8b545j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad5f1470fa21e384ec2d051aa602a8bf7c7f0cfb6c2926f7a55c5ad7038e9d07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 5fbbff2790609c65785e9780480adf137acd938ebbf2b7d16760137017087e18

Formbook

Executable exe ad5f1470fa21e384ec2d051aa602a8bf7c7f0cfb6c2926f7a55c5ad7038e9d07

(this sample)

  
Dropped by
MD5 f83709ba70b1a9609ad3dc59a793f7cd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42593/
  
Dropped by
SHA256 5fbbff2790609c65785e9780480adf137acd938ebbf2b7d16760137017087e18

Comments