MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112
SHA3-384 hash: decb32998c970612a162302bf1d8a56fd4095ca512955ac693ce55d4be182a6fc1dd0557e98bcd0580dc63c3d2eff834
SHA1 hash: 7170ef2a931341c0c4fb152c1552a5049eca68ae
MD5 hash: 0060b9cfb3b239c92f18f3b1ae7d8c3c
humanhash: quebec-enemy-alaska-uranus
File name:invoice.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:333'824 bytes
First seen:2020-06-08 14:59:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ImGYzZQBJKK/RI4gLkeLSWIxWyKEjfQ7BYv4OXqqP/n:ImG3XHKSnxXKEjfoBYt7P
Threatray 5'242 similar samples on MalwareBazaar
TLSH 2764020177FDEB36D97E4BF974D724005372313A762AFA5E8DC671E608A2B108A40E67
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: moutaichina.com
Sending IP: 172.93.161.29
From: Mail@moutaichina.com
Reply-To: Ibn.01@outlook.com
Subject: 新命令
Attachment: invoice 1.zip (contains "invoice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/369284
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 236613 Sample: ewuTygg1Bw.exe Startdate: 08/06/2020 Architecture: WINDOWS Score: 100 57 www.audreyfarley.com 2->57 59 ext-sq.squarespace.com 2->59 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 7 other signatures 2->79 11 ewuTygg1Bw.exe 3 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\ewuTygg1Bw.exe.log, ASCII 11->55 dropped 93 Tries to detect virtualization through RDTSC time measurements 11->93 15 ewuTygg1Bw.exe 11->15         started        signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 Queues an APC in another process (thread injection) 15->101 18 explorer.exe 6 15->18 injected process9 dnsIp10 61 longfellowpurebreds.com 104.219.248.115, 49711, 80 unknown United States 18->61 63 www.longfellowpurebreds.com 18->63 65 www.diamond-distinction.com 18->65 47 C:\Users\user\AppData\Local\...\vgaot707b.exe, PE32 18->47 dropped 81 System process connects to network (likely due to code injection or exploit) 18->81 83 Benign windows process drops PE files 18->83 23 cscript.exe 1 19 18->23         started        27 vgaot707b.exe 3 18->27         started        29 autochk.exe 18->29         started        31 raserver.exe 18->31         started        file11 signatures12 process13 file14 49 C:\Users\user\AppData\...\983logrv.ini, data 23->49 dropped 51 C:\Users\user\AppData\...\983logri.ini, data 23->51 dropped 53 C:\Users\user\AppData\...\983logrf.ini, data 23->53 dropped 85 Detected FormBook malware 23->85 87 Tries to steal Mail credentials (via file access) 23->87 89 Tries to harvest and steal browser information (history, passwords, etc) 23->89 91 3 other signatures 23->91 33 cmd.exe 2 23->33         started        37 cmd.exe 1 23->37         started        39 vgaot707b.exe 27->39         started        signatures15 process16 file17 45 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->45 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 33->67 41 conhost.exe 33->41         started        43 conhost.exe 37->43         started        69 Modifies the context of a thread in another process (thread injection) 39->69 71 Maps a DLL or memory area into another process 39->71 signatures18 process19
Gathering data
Threat name:
Win32.PUA.InstallCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-07 22:38:40 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xoltqoo7kmebzfu2pzteppp4fuyjbnb3jfx6ryrejji2mbbgieja._file
Verdict:
malicious
Similar samples:
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
FormBook
54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626
FormBook
575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
6f95416c1006a499c7012c6cde49a27f83223c665cf9b28764030afeb04bf697
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e
FormBook
+ 5'232 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-sjmz68g3ts/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
ServiceHost packer
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.joomlas123.com/4vx/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 736b7cd2f4c5db0fbb9fcd8a5f7f941e83c4133ed14571d59eac5d754019aaba

FormBook

Executable exe bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112

(this sample)

  
Dropped by
MD5 204ad0e3f63de178838bca61f24db8a9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 736b7cd2f4c5db0fbb9fcd8a5f7f941e83c4133ed14571d59eac5d754019aaba

Comments