MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3aa8bddb8ca445d0908c2d02bbb01470c8998a0fc525847ec619fe7868ac043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3aa8bddb8ca445d0908c2d02bbb01470c8998a0fc525847ec619fe7868ac043
SHA3-384 hash: 06846b8d1fa54cf7983a0d00c63ee5f433f87daaee75b9eb3905c0d1afc544d2342af3713363ef8137543444415e66c4
SHA1 hash: 2845b36a0f96486d24fd2ef7e0077d8f56a07411
MD5 hash: 47d3269cf2f5a1199b2e9c22e722fecc
humanhash: glucose-sierra-aspen-lion
File name:shipping Document.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:591'360 bytes
First seen:2020-08-15 10:01:32 UTC
Last seen:2020-08-15 10:34:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ytbfHbOivhRikpA+jbvUbxKzNF+XxmKvsUDSi+9yo6JWO/v:ytbTSkVjLuxKzN3KPho6JWO3
Threatray 2'260 similar samples on MalwareBazaar
TLSH 66C40222274DCBDBE1ADB73E02682991F3F2D113F707EE6CBD8991D96C06AA75380511
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.h-email.net
Sending IP: 156.96.59.30
From: ''Support''<supportvietnam@dhl.com>
Subject: Delivery Notification
Attachment: shipping Document.zip (contains "shipping Document.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46300/
Detection(s):
SecuriteInfo.com.Generic.mg.47d3269cf2f5a119.13157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/431974
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 268407 Sample: shipping Document.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 49 www.turismosaoluis.com 2->49 51 HDRedirect-LB5-1afb6e2973825a56.elb.us-east-1.amazonaws.com 2->51 59 Malicious sample detected (through community Yara rule) 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 Yara detected AntiVM_3 2->63 65 9 other signatures 2->65 11 shipping Document.exe 7 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\DvRweEvwvCW.exe, PE32 11->37 dropped 39 C:\Users\...\DvRweEvwvCW.exe:Zone.Identifier, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\...\tmpF452.tmp, XML 11->41 dropped 43 C:\Users\user\...\shipping Document.exe.log, ASCII 11->43 dropped 71 Injects a PE file into a foreign processes 11->71 15 shipping Document.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 81 Modifies the context of a thread in another process (thread injection) 15->81 83 Maps a DLL or memory area into another process 15->83 85 Sample uses process hollowing technique 15->85 87 Queues an APC in another process (thread injection) 15->87 20 explorer.exe 1 6 15->20 injected 25 conhost.exe 18->25         started        process9 dnsIp10 53 arttextileduverdon.info 153.126.139.69, 49738, 80 SAKURA-ASAKURAInternetIncJP Japan 20->53 55 iferrara.expert 35.214.154.230, 49739, 49740, 49741 GOOGLE-2US United States 20->55 57 4 other IPs or domains 20->57 35 C:\Users\user\...\ThumbCache5j78thh.exe, PE32 20->35 dropped 67 System process connects to network (likely due to code injection or exploit) 20->67 69 Benign windows process drops PE files 20->69 27 cmmon32.exe 1 17 20->27         started        file11 signatures12 process13 file14 45 C:\Users\user\AppData\...\OQ4logrv.ini, data 27->45 dropped 47 C:\Users\user\AppData\...\OQ4logri.ini, data 27->47 dropped 73 Detected FormBook malware 27->73 75 Tries to steal Mail credentials (via file access) 27->75 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 79 3 other signatures 27->79 31 cmd.exe 1 27->31         started        signatures15 process16 process17 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3aa8bddb8ca445d0908c2d02bbb01470c8998a0fc525847ec619fe7868ac043/
Threat name:
ByteCode-MSIL.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-15 08:03:08 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yovixxnyzjcf2ciiylicxoybi4gitgfa7rjfqr7mmgp6pbukybbq._file
Verdict:
malicious
Similar samples:
3b74c2f8330e4a13915efff621b1eaba4ba50becaa826071fc9e96edd0079f69
FormBook
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
FormBook
503b445570a93a7cb69b2d5c17256274a5d8f2086b113229edbc1183f341391c
FormBook
823f72e280224715e6d4f7fff1f792d2c372d7633eab250f2308325eff114c18
FormBook
a408cbe02b8793b921482f59664bc83c5f187f69b02189987c601c6d449d4013
FormBook
bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb
FormBook
d1dfcf2c14f3a10655f061a7833367abdcdeba8ad5ab3843edc4bed4ec19e9f9
FormBook
daa11a454d19db26e0628d81c0b187667405e26c08bdd466e43565d9b065c952
FormBook
f9105883e8b27ee7cfbe161616f341841f2b7e8c36f5d2b11796e0b002d86ad8
FormBook
f9fa0a06495f261c09ee9f5cd1f3e32ed8d05e6cc65ed223adb4bf6c02cc90dd
FormBook
+ 2'250 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200815-3n3m9t1cne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok3.info/xwqs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3aa8bddb8ca445d0908c2d02bbb01470c8998a0fc525847ec619fe7868ac043

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 0b81ce82327eb158f6799c831d6436721f216e94b4160b6855cf8f1299bf8ed7

FormBook

Executable exe c3aa8bddb8ca445d0908c2d02bbb01470c8998a0fc525847ec619fe7868ac043

(this sample)

  
Dropped by
MD5 07a199aebbe0e5c5946c3bad18fd001e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46300/
  
Dropped by
SHA256 0b81ce82327eb158f6799c831d6436721f216e94b4160b6855cf8f1299bf8ed7

Comments