MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97
SHA3-384 hash: ac5654fea1bcd63aac78dfc1c7f03eaa1dfabcb319f4525c5be6dd92fa4488dd3fa735cdafbab36aff49a7af776890ce
SHA1 hash: 6794c11ab44eb9c8f8b9fe02d815268d27ba27b8
MD5 hash: 463a961e593e3779f46c1305ef9e0dff
humanhash: monkey-avocado-fanta-fifteen
File name:Abraj Energy Services.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:741'376 bytes
First seen:2020-07-20 12:53:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:1uFL/1q9I6/kldSCGDyaod+ik4g8y3SoDdb83Hn9dl56tm+Z7j+1TrGk6:1uZ/OPW2rEloD1o9dlQI+Zy1TrG
Threatray 5'215 similar samples on MalwareBazaar
TLSH FCF4E0C9AAA05400C6ED3FF59EA2CAB843347D05F5F2970F1BC4BD8A297A793D854352
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29126/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391618
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248192 Sample: Abraj Energy Services.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 57 www.sladenidu.com 2->57 73 Multi AV Scanner detection for domain / URL 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 7 other signatures 2->79 11 Abraj Energy Services.exe 1 2->11         started        signatures3 process4 file5 55 C:\Users\...\Abraj Energy Services.exe.log, ASCII 11->55 dropped 97 Injects a PE file into a foreign processes 11->97 15 Abraj Energy Services.exe 11->15         started        signatures6 process7 signatures8 99 Modifies the context of a thread in another process (thread injection) 15->99 101 Maps a DLL or memory area into another process 15->101 103 Sample uses process hollowing technique 15->103 105 Queues an APC in another process (thread injection) 15->105 18 explorer.exe 1 6 15->18 injected process9 dnsIp10 59 www.regulars7.info 162.0.224.251, 49713, 49714, 49715 NAMECHEAP-NETUS Canada 18->59 61 jointventurementors.com 34.102.136.180, 49712, 80 GOOGLEUS United States 18->61 63 2 other IPs or domains 18->63 47 C:\Users\user\AppData\Local\...\nftd0bx4a.exe, PE32 18->47 dropped 81 System process connects to network (likely due to code injection or exploit) 18->81 83 Benign windows process drops PE files 18->83 23 cmstp.exe 1 19 18->23         started        27 nftd0bx4a.exe 1 18->27         started        29 rundll32.exe 18->29         started        31 autofmt.exe 18->31         started        file11 signatures12 process13 file14 49 C:\Users\user\AppData\...\4L7logrv.ini, data 23->49 dropped 51 C:\Users\user\AppData\...\4L7logri.ini, data 23->51 dropped 53 C:\Users\user\AppData\...\4L7logrf.ini, data 23->53 dropped 85 Detected FormBook malware 23->85 87 Tries to steal Mail credentials (via file access) 23->87 89 Tries to harvest and steal browser information (history, passwords, etc) 23->89 95 2 other signatures 23->95 33 cmd.exe 2 23->33         started        37 cmd.exe 1 23->37         started        91 Injects a PE file into a foreign processes 27->91 39 nftd0bx4a.exe 27->39         started        93 Tries to detect virtualization through RDTSC time measurements 29->93 signatures15 process16 file17 45 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->45 dropped 65 Tries to harvest and steal browser information (history, passwords, etc) 33->65 41 conhost.exe 33->41         started        43 conhost.exe 37->43         started        67 Modifies the context of a thread in another process (thread injection) 39->67 69 Maps a DLL or memory area into another process 39->69 71 Sample uses process hollowing technique 39->71 signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 12:55:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zveygjq3tuet7mvgh747ugm2urh24yl2pihhjoantbwtyzr2jslq._file
Verdict:
malicious
Similar samples:
1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a
FormBook
2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5
FormBook
3de57656bc920af6ada5c995391e33546524ec7acd4e9182364dfcaf84b3b8a3
FormBook
6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4
FormBook
7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1
FormBook
a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a
FormBook
ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671
FormBook
b45fb97506ddaaddd21207b75f9a877fd65fedc6324fc10a7d16381bdef232a1
FormBook
b73caeffe98a9035eefe1465bf9c883f306372f8b4ca2d18973fc18277781363
FormBook
c29ba90d51de3251d2d6f890bf889bd2772c2e375c7df46b25968ae2b1cce5f8
FormBook
+ 5'205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-w9t8dzmbds/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29126/

Comments