MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9044f1992ec7d31ec219353ff146261dd95b6bc2aee20cdfc4e01f0e045651e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	c9044f1992ec7d31ec219353ff146261dd95b6bc2aee20cdfc4e01f0e045651e
SHA3-384 hash:	65c8d44f3ff28318a9681f8de603ff120a2654b2a4ae05b860543fccdb0a557dca8612d27dd384a21529ac36bc68cd9d
SHA1 hash:	4129f1aa7405f3c669bcaac0c44bdc8651322ce2
MD5 hash:	4f030f0324459c479fc91f55818262a8
humanhash:	oven-uncle-johnny-nitrogen
File name:	po.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	351'744 bytes
First seen:	2020-08-04 11:01:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:/rHAgbCa8sGQTpgM52SKidP3Z6c7B9AqNjg:/rHX8kTL52yN3Z6clP
Threatray	2'502 similar samples on MalwareBazaar
TLSH	29749D353853D529CC7A0E74C425AAC2BA65BA9A3B558A2FB08E530C1F4365F3F9305F
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: server0.ihswt.com
Sending IP: 142.11.236.209
From: "Decorum Vin Ltd" <sales@ihswt.com>
Subject: Purchase Order
Attachment: purchaseorder.doc

FormBook paylod URL:
https://ryetgvteg.gb.net/po.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/38528/

Detection(s):

SecuriteInfo.com.Fareit-FVT4F030F032445.5429.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/409251

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/c9044f1992ec7d31ec219353ff146261dd95b6bc2aee20cdfc4e01f0e045651e/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-04 11:03:04 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zece6gms5r6td3bbsnj76fdcmhozlnv4flxcbtp4jya7bycfmupa._file

Verdict:

malicious

Formbook

4b83753be005d3668592559d6fe011fda590558f730140f6c303714ac8fe0d93

Formbook

538026aea095085f7a8cd260a783b5495592a90ed7df928d6db87b7e2a3b8675

Formbook

9a3f18b05ce5e0ad884dc95af226f584d483a91dd15cb895a0cce8b91fb2b314

Formbook

bc931053b524ad01013ebd0aeb020953b8822bd4614cdb311a6e4d0bebc74e36

Formbook

cd88f1f0051fb232edba57fff3fc2b789e0b286ec9b938d8f31c3ef52c6848df

Formbook

dc7dcd0b09fa13bd6af193cac9a2b68892f0b51670b045a824806852f4205689

Formbook

e69790e910b1817bcfb714f20fda02b6e024babd3dfcea8fa982192928a5df93

Formbook

f01e05ea7a73c604ae68acbced809fa9a249818994aae64af13010b3ea82c892

Formbook

fc714509dc4c3d6f3e13028be7be8207b2377331266c8ce213c575e511f8d31f

Formbook

+ 2'492 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat persistence spyware evasion trojan stealer family:formbook

Link:

https://tria.ge/reports/200804-52wzfb476x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Reads user/profile data of web browsers

Loads dropped DLL

Adds policy Run key to start application

Executes dropped EXE

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9044f1992ec7d31ec219353ff146261dd95b6bc2aee20cdfc4e01f0e045651e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator