MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0f75c29c7e6f1531ae8f5b9f3e1f6c1c11d0f6cc06a76d308cc5a7f4e7736ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0f75c29c7e6f1531ae8f5b9f3e1f6c1c11d0f6cc06a76d308cc5a7f4e7736ac
SHA3-384 hash: 9ea165466d4c582f71b079e8dc5a0ff93a39ca53d76317baed42e7a8a5b01867679fb9b8448016f8d679999f2c741f36
SHA1 hash: 5ae9d3f42bc3fd7a60583fab982ae962ea61b416
MD5 hash: 42b6b24afda2c0fad7b70b9c184bc36f
humanhash: september-nine-pizza-fanta
File name:PO20012ZAS23JULY2020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:594'944 bytes
First seen:2020-07-31 06:11:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:nHuZEaQEAkfmSJIP2U7DdVyGpxidB0Qd6cnufCqjY6DAfa:nHu6aQhk+SM26VyGpx00AuZP7
Threatray 5'130 similar samples on MalwareBazaar
TLSH 5FC4485B60FDD0D6F40D3DB94EA9835A8AB5AC5A0272D117C22F3CD7D07B607DA80AE1
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dlveltex.co
Sending IP: 111.90.145.49
From: Khaled <khaled@alnafea.co>
Reply-To: dl889l9@gmail.com
Subject: REQUEST FOR PI TO MAKE PAYMENT JULY2020ETD
Attachment: PO20012ZAS23JULY2020.rar (contains "PO20012ZAS23JULY2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35812/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/404541
Signature
Benign windows process drops PE files
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 254500 Sample: PO20012ZAS23JULY2020.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 50 g.msn.com 2->50 52 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->52 60 Malicious sample detected (through community Yara rule) 2->60 62 Yara detected AntiVM_3 2->62 64 Yara detected FormBook 2->64 66 5 other signatures 2->66 11 PO20012ZAS23JULY2020.exe 3 2->11         started        signatures3 process4 file5 48 C:\Users\...\PO20012ZAS23JULY2020.exe.log, ASCII 11->48 dropped 86 Tries to detect virtualization through RDTSC time measurements 11->86 88 Injects a PE file into a foreign processes 11->88 15 PO20012ZAS23JULY2020.exe 11->15         started        signatures6 process7 signatures8 90 Modifies the context of a thread in another process (thread injection) 15->90 92 Maps a DLL or memory area into another process 15->92 94 Sample uses process hollowing technique 15->94 96 Queues an APC in another process (thread injection) 15->96 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 54 www.flycoz.com 162.213.250.91, 49737, 80 NAMECHEAP-NETUS United States 18->54 56 10076.searchmagnified.com 209.99.64.76, 49738, 49739, 49740 CONFLUENCE-NETWORK-INCVG United States 18->56 58 www.inmoregistrocanarias.com 18->58 42 C:\Users\user\AppData\...\tzypqb0hdn.exe, PE32 18->42 dropped 72 System process connects to network (likely due to code injection or exploit) 18->72 74 Benign windows process drops PE files 18->74 23 WWAHost.exe 1 17 18->23         started        27 tzypqb0hdn.exe 3 18->27         started        29 tzypqb0hdn.exe 2 18->29         started        31 2 other processes 18->31 file11 signatures12 process13 file14 44 C:\Users\user\AppData\...44L0logrv.ini, data 23->44 dropped 46 C:\Users\user\AppData\...46L0logri.ini, data 23->46 dropped 76 Detected FormBook malware 23->76 78 Tries to steal Mail credentials (via file access) 23->78 80 Tries to harvest and steal browser information (history, passwords, etc) 23->80 84 3 other signatures 23->84 33 cmd.exe 1 23->33         started        82 Injects a PE file into a foreign processes 27->82 35 tzypqb0hdn.exe 27->35         started        38 tzypqb0hdn.exe 29->38         started        signatures15 process16 signatures17 40 conhost.exe 33->40         started        68 Modifies the context of a thread in another process (thread injection) 35->68 70 Maps a DLL or memory area into another process 35->70 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c0f75c29c7e6f1531ae8f5b9f3e1f6c1c11d0f6cc06a76d308cc5a7f4e7736ac/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 06:14:32 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd3vykoh43yvggxi6w47hypwyhar2d3mybvhnuyizrnh6ttxg2wa._file
Verdict:
malicious
Similar samples:
154d6b81bf4dcce3911f5c72f4790569e1cd91aee0040e7c1341f5286952bafe
FormBook
3026e3d087b09043925e42928fa0764af54475791f45f8ce97ce3f72b0a66e50
FormBook
50f8d8b5cbbad3f2a1d4a25b84553ba285f49318ab3dbb8d436b6709582997e8
FormBook
528855cf41335ffa3099457ea280c63afba531ec224b3c3ee9eb293b369db220
FormBook
597022d4e4794fb02c89a43939d93d1b2b1140e798e355c2a53a8423f19514ad
FormBook
8e0003e4f6d537153e60ac5129859a33b57b3b9a36b7d2be62273a6b3a8d5f3f
FormBook
8e3558d36802ba3f0da7c2b1188d5f12918959c2674e5421c2d15fad57d712e9
FormBook
a841d5eddb5208f4740c9d305151742f0a4c39b113e91d41414af98ff19c6c3d
FormBook
aa96ad04f8d5fede0038fa00238b1c5a275decf0774dadbfd93922311f80394d
FormBook
cbd6e5626ae84385a9fc7a7eab1877be367ef0b69dc1c4a8de1f668ecb018ab2
FormBook
+ 5'120 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200731-m24jx22d8a/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0f75c29c7e6f1531ae8f5b9f3e1f6c1c11d0f6cc06a76d308cc5a7f4e7736ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 96b92cbff940266f2297a83d066b3aa75ef3914a246c657853e9eedb16614216

FormBook

Executable exe c0f75c29c7e6f1531ae8f5b9f3e1f6c1c11d0f6cc06a76d308cc5a7f4e7736ac

(this sample)

  
Dropped by
MD5 20f897d702b67fb267f256de906de7fe
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35812/
  
Dropped by
SHA256 96b92cbff940266f2297a83d066b3aa75ef3914a246c657853e9eedb16614216

Comments