MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf
SHA3-384 hash: 5fdddb631773c42780172228b04b593cd7384c822c0b80b9d506b29a7ede1c8d04e89d00551caf42cdeeb4aec6751601
SHA1 hash: 7d6ec773953a0863f3555a7707df86f00a920468
MD5 hash: 575000e87555c60bdf032dcf7146d802
humanhash: louisiana-mirror-harry-ink
File name:Purchase Order copy.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:722'944 bytes
First seen:2020-07-20 12:16:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NubE1q9I6/kldSCGDyaod+ik4g8y3SoD7O7zTuIL+mXgLXq4q:NubEOPW2rEloDK7pXXgzq
Threatray 5'216 similar samples on MalwareBazaar
TLSH 49F4E0C99AA05400C6ED3FF59E628AB54735BD09F1F2930F1FC0A98F293A793D854762
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qamail.clariti.app
Sending IP: 18.235.15.241
From: Joakim Kim <test1@qamail.clariti.app>
Subject: Re: Purchase Order PO-4093021b
Attachment: Purchase Order copy.gz (contains "Purchase Order copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29094/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.2050.23275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391569
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248158 Sample: Purchase Order copy.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 7 other signatures 2->65 10 Purchase Order copy.exe 1 2->10         started        process3 file4 45 C:\Users\user\...\Purchase Order copy.exe.log, ASCII 10->45 dropped 81 Injects a PE file into a foreign processes 10->81 14 Purchase Order copy.exe 10->14         started        signatures5 process6 signatures7 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 47 balancer.wixdns.net 35.242.251.130, 49718, 49719, 49720 GOOGLEUS United States 17->47 49 www.luxuryonlinemarketing.com 17->49 51 4 other IPs or domains 17->51 37 C:\Users\user\...\rn08szixxrdpftbp.exe, PE32 17->37 dropped 67 System process connects to network (likely due to code injection or exploit) 17->67 69 Benign windows process drops PE files 17->69 22 msdt.exe 1 18 17->22         started        26 rn08szixxrdpftbp.exe 1 17->26         started        28 wlanext.exe 17->28         started        file10 signatures11 process12 file13 39 C:\Users\user\AppData\...\08Llogrv.ini, data 22->39 dropped 41 C:\Users\user\AppData\...\08Llogri.ini, data 22->41 dropped 43 C:\Users\user\AppData\...\08Llogrf.ini, data 22->43 dropped 71 Detected FormBook malware 22->71 73 Tries to steal Mail credentials (via file access) 22->73 75 Creates autostart registry keys with suspicious names 22->75 79 3 other signatures 22->79 30 cmd.exe 1 22->30         started        32 rn08szixxrdpftbp.exe 26->32         started        77 Tries to detect virtualization through RDTSC time measurements 28->77 signatures14 process15 signatures16 35 conhost.exe 30->35         started        53 Modifies the context of a thread in another process (thread injection) 32->53 55 Maps a DLL or memory area into another process 32->55 57 Sample uses process hollowing technique 32->57 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 12:18:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ylkrl2o5k4crsyae745dfr3uvqsuxagt72l5nwdbtqcgr33ozk7q._file
Verdict:
malicious
Similar samples:
0d567b16454b8c3be5e7dbc796bf7049c0eb18ba9a625d6b5f45eff7202aaf70
FormBook
165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
FormBook
22f4207de77f987b6791843539e25e05ff3f6c010e805330210399e23c323b87
FormBook
51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501
FormBook
5767bcddaf9404e411f25e457d8af27eeefa15515f415e901b6e7412708e5209
FormBook
8509ca4c5f81525eb6f300294703c9c66af0369374bc064ac024c9dae62c7092
FormBook
b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f
FormBook
ca3ab25a8c3213aa08113b09cc4b60df1d2c440aeb0e02c1e3bd192a57f86208
FormBook
d6330004986cb2968200bad58cb3f1135e2383d9bdf6894feff0f28f952f4c2b
FormBook
fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55
FormBook
+ 5'206 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200720-9cvehv6cde/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz d3f0628f7c91717ad0ec7a8829c8892c1eebc1c06464a1e5f670f04eccffe436

FormBook

Executable exe c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf

(this sample)

  
Dropped by
MD5 7d3c5ce00a19c4e08d8007315f53dcd3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29094/
  
Dropped by
SHA256 d3f0628f7c91717ad0ec7a8829c8892c1eebc1c06464a1e5f670f04eccffe436

Comments