MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1
SHA3-384 hash: 6eb16cba4df16ff494f21f3ab87d632efdf901bfd61fa4ccee497f6287678ce21f3d6a770e45eb613cb3e907554c86b6
SHA1 hash: b80dc9288fd45bb5db01c98a100e57bbc0da1570
MD5 hash: 6b693ec92fa73a62acad9332bbf4b00e
humanhash: illinois-network-carpet-grey
File name:me.scr
Download: download sample
Signature FormBook
Create hunting rule
File size:514'048 bytes
First seen:2020-08-10 08:52:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EgOzBQxLfuNzD57BbvUUYHNWaDR1q1r02M:EgOFQxjuVDcUYHNtR1W0
Threatray 41 similar samples on MalwareBazaar
TLSH 64B46A0DBDE43647F12B8A7C739510E103F6BC1CDB21EEABAE46B3E516666198633503
Reporter abuse_ch
Tags:FormBook Hostwinds scr


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-761317.hostwindsdns.com
Sending IP: 104.168.173.112
From: info@ricksaezp.com
Reply-To: info@ricksaezp.com
Subject: Quote#CON-071720-EB
Attachment: Templates.zip (contains "me.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42467/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Forced shutdown of a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/416383
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 03:37:22 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=252amrg3aoi4v26oj3dv5evjkbrowknwltyrrakza6xbukiuegqq._file
Verdict:
unknown
Similar samples:
08e1258c85ca8bedcf88e9cbe8a5c1d53cb5d06acf5a0d6d9ba929c1fc4a96ad
FormBook
1ac93b118f2f6facc20288611532e4f0f898967e262a6c9cea66bc2da07ad732
FormBook
4ab2e83b6bfd6b61c03b13f7b06806ccce7f3fdcc5c86dbd35295305b03f5d87
FormBook
5a023b9d4e63aab62c95820c69b08fc286f1ff99f7eb9381c5a83b258784063f
FormBook
881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867
FormBook
a311153c791b849034091bb57c8904ea17ee09b453b69bb7b28ab637389ad1eb
FormBook
aac7836cc3621b697210ec64dc5d423c1537bcc8e1e1276e8b0b9f8367251197
FormBook
b2762663ec4cb81d9b5b27725628e1c9300575c29d558b24e2425df54cf9c105
FormBook
ccaedac7e0d5d4a655d37d59fb12bfb920785e9c8d0b811dc6ab88d3e1ca6ea0
FormBook
df0defce758bd92b2db07399101c52e04c8059b1712ae0e74a420058cbbba52d
FormBook
+ 31 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200810-53ecgehwvj/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip c46ee625d9626c6583f1129a66c6044d50ae10ba95fec689e13646a0278afbe0

FormBook

Executable exe d7740644db0391caebce4ec75e92a95062eb29b65cf118815907ae1a291421a1

(this sample)

  
Dropped by
MD5 52f8f77ad3645ad1ff87f005b6a8fc14
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42467/
  
Dropped by
SHA256 c46ee625d9626c6583f1129a66c6044d50ae10ba95fec689e13646a0278afbe0

Comments