MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d810052504c453dbe0b0960c1f818146afce0c24f793d37e35ca806d8458d647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d810052504c453dbe0b0960c1f818146afce0c24f793d37e35ca806d8458d647
SHA3-384 hash: b16b83982704230ec3b196a2302e1fd92d56c405ff7bdde85bc81a782a8fb2b7bfcaace561e55c870a1b9770cb0f17bd
SHA1 hash: d103b69c59235efeef55c7b049481989b36db170
MD5 hash: a6727b64ffe9e5231aeee0ce8e925c7e
humanhash: nuts-moon-magnesium-hotel
File name:21.7 20 IMG_______.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:365'568 bytes
First seen:2020-07-22 06:40:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:Xn0p/Cy9Wamlpaw1KPFROs4Gi1AoSdOH4IDju4T32w96/sG9+MKXGqoBulDUBDj2:X0VVWhKP7OXbsS40dBSRKXoBuOBDjG
Threatray 10'293 similar samples on MalwareBazaar
TLSH 7C74E13232A6AE85EF370E79981230401DB57C277A29C387BD49029615FB7A4CE61FD7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail10.druknet.bt
Sending IP: 202.144.128.177
From: Juan Perez <dorji@druknet.bt>
Subject: SOLICITUD DE PRESUPUESTO
Attachment: 21.7 20 IMG_______.rar (contains "21.7 20 IMG_______.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30770/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394403
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249601 Sample: 21.7 20 IMG_______.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 9 other signatures 2->73 10 21.7 20 IMG_______.exe 7 2->10         started        process3 file4 49 C:\Users\user\AppData\Roaming\yLZECp.exe, PE32 10->49 dropped 51 C:\Users\user\AppData\Local\...\tmp76E2.tmp, XML 10->51 dropped 53 C:\Users\user\...\21.7 20 IMG_______.exe.log, ASCII 10->53 dropped 85 Injects a PE file into a foreign processes 10->85 14 21.7 20 IMG_______.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 97 Modifies the context of a thread in another process (thread injection) 14->97 99 Maps a DLL or memory area into another process 14->99 101 Sample uses process hollowing technique 14->101 103 Queues an APC in another process (thread injection) 14->103 19 explorer.exe 1 6 14->19 injected 24 conhost.exe 17->24         started        process8 dnsIp9 61 www.doneym.com 199.192.18.63, 49717, 80 NAMECHEAP-NETUS United States 19->61 63 kalbarnews.com 213.190.6.107, 49718, 49719, 49720 AS-HOSTINGERLT Germany 19->63 65 2 other IPs or domains 19->65 47 C:\Users\user\AppData\...\taskhostxx4pftb.exe, PE32 19->47 dropped 81 System process connects to network (likely due to code injection or exploit) 19->81 83 Benign windows process drops PE files 19->83 26 netsh.exe 1 18 19->26         started        30 taskhostxx4pftb.exe 5 19->30         started        32 systray.exe 19->32         started        file10 signatures11 process12 file13 55 C:\Users\user\AppData\...\K-6logrv.ini, data 26->55 dropped 57 C:\Users\user\AppData\...\K-6logri.ini, data 26->57 dropped 59 C:\Users\user\AppData\...\K-6logrf.ini, data 26->59 dropped 87 Detected FormBook malware 26->87 89 Tries to steal Mail credentials (via file access) 26->89 91 Tries to harvest and steal browser information (history, passwords, etc) 26->91 95 2 other signatures 26->95 34 cmd.exe 1 26->34         started        36 taskhostxx4pftb.exe 30->36         started        39 schtasks.exe 1 30->39         started        41 taskhostxx4pftb.exe 30->41         started        93 Tries to detect virtualization through RDTSC time measurements 32->93 signatures14 process15 signatures16 43 conhost.exe 34->43         started        75 Modifies the context of a thread in another process (thread injection) 36->75 77 Maps a DLL or memory area into another process 36->77 79 Sample uses process hollowing technique 36->79 45 conhost.exe 39->45         started        process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d810052504c453dbe0b0960c1f818146afce0c24f793d37e35ca806d8458d647/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 22:42:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3aiakjieyrj5xyfqsygb7ambi2x44dbe66j5g7rvzkag3bcy2zdq._file
Verdict:
malicious
Similar samples:
1789be535367afa0097be7d9ef6c90523df01d10e40b712ed0ead826b46e99e1
FormBook
35581eb6b7b958bfd5a21f192571f5adeeac39295de4ce29bc16bbb57480ae80
FormBook
3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6
FormBook
4cc50598ab30ac06a20ce6a6a56deedb59ecb519a814ac791b194f49b63a7daa
FormBook
5da7735fc8be010eaed89e5776cabe530402d4c6d0c6e5c5de515f12e05081f8
FormBook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
FormBook
6830866e2d41b970c95172f9a156522c72cfd238f846c02c19827b2100fc5deb
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5
FormBook
cf5a86737ab13ec2ea858e0d7c635c3a3c79d1deda05e79a81dd1b470dcb0942
FormBook
+ 10'283 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-bsng65zewa/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d810052504c453dbe0b0960c1f818146afce0c24f793d37e35ca806d8458d647

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 49cad0d50513b8c43f935948ae466868316676a235977fda1ef19e7db73b9d76

FormBook

Executable exe d810052504c453dbe0b0960c1f818146afce0c24f793d37e35ca806d8458d647

(this sample)

  
Dropped by
MD5 33771828330c90495fa323d60b169d2f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30770/
  
Dropped by
SHA256 49cad0d50513b8c43f935948ae466868316676a235977fda1ef19e7db73b9d76

Comments