MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb
SHA3-384 hash:	201a16d50c942976580e57e93d2b9b033aa78ef61bfa83f0094aca812ce2347bd3464fe7e8def39aa27f835e94f503d9
SHA1 hash:	f7dc26b25cecdfcc0f25af035fd9ab285ab7e7a3
MD5 hash:	9cdb68d9a9b6e5eae810306c9f2d1f6b
humanhash:	network-fanta-texas-alaska
File name:	Pago0012245611.Scan.pdf..exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	344'576 bytes
First seen:	2020-08-05 17:13:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:zC1sb/ugIuaUtDXu+jbQm3MLKv/CYL4rfAk2ra74Od8LA+9lZCtW:G1sbGuaUtDessguICYofZdULAOlZCE
Threatray	5'131 similar samples on MalwareBazaar
TLSH	4374E1270FBCE1E6DF0BE6398324569E46F3D526005AAC95BEA124CBA310707F1927D7
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: jace.com
Sending IP: 45.127.62.110
From: David Díaz <madie@nisuysa.xyz>
Subject: RE: RE: Pago
Attachment: Pago0012245611.Scan.pdf.rar (contains "Pago0012245611.Scan.pdf..exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/411728

Signature

Benign windows process drops PE files

Detected FormBook malware

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses ipconfig to lookup or modify the Windows network settings

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-05 17:14:11 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yknpcs52kr6ossukpqwx64otb26q35kbwycljx5eabyamalvl35q._file

Verdict:

malicious

FormBook

3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b

FormBook

5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea

FormBook

5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35

FormBook

8604f9cf7a68603106748dcd54ec4bf13f11ac46bf07d4fa0ec20d45b98e16c9

FormBook

8fb2b9dc001a9dda1b56963034f4957c33e13cf502ab963630100350c0143bce

FormBook

a1ad8bfdcc01c3b59fce9cf7c4ea716f46c5e562d1fbfda663a03fcb3b21fc59

FormBook

a777ab5f9fd6e6aa4f4d70b5168f4358c849f3ab461a3d15d315c83fe351272d

FormBook

e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c

FormBook

fc7f170e0b18f35f5d150ec384f7d7db8cd790bdac22d469424515225ab30658

FormBook

+ 5'121 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat evasion trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200805-mb1rs7bagj/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run key to start application

Deletes itself

Reads user/profile data of web browsers

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 1b006c034d7b3277e864d28e0ba06c8cf47a2eb7aadc5944a8e8180846e8f5a9

FormBook

exe c29af14bba547ce94a8a7c2d7f71d30ebd0df541b604b4dfa400700601755efb

(this sample)

Dropped by

MD5 3968b245020828008f9a38d9c1992abc

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/39869/

Dropped by

SHA256 1b006c034d7b3277e864d28e0ba06c8cf47a2eb7aadc5944a8e8180846e8f5a9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample