MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d
SHA3-384 hash: 0e16e2b4c4722f7aebb764bdcffe18ff84c7244f3b5f795739e45a6ff8c363cfe442b293bb846c065bc8358d39400fea
SHA1 hash: ff4a043b6eb39c77174780d10a1ae02adb0a0579
MD5 hash: 9c329c868a776ddc03e02c62ac31e4cb
humanhash: grey-wisconsin-pizza-solar
File name:Purchase order#706.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:389'632 bytes
First seen:2020-07-06 06:47:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:2oBFbV+gLPfCaiybfHD/D7SDins3NMRjFpDPBdtVsQiN7NUq/ISG7i+n3HAApBz6:XuDiieRplPftXiN7X/IVPn3Vk
Threatray 5'267 similar samples on MalwareBazaar
TLSH 2284D0720246BFDAE73D8D74D54426400EA91C7BAB70DD49BDC831C922B6B249EBCE71
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: ngay7.localdomain
Sending IP: 45.127.62.116
From: Gustav Ernstmeier GmbH <orpha@dinamic.xyz>
Subject: Order Confirmation no. MW951S2, Customer order no. 706
Attachment: Purchase order706.pdf.rar (contains "Purchase order#706.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20967/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 06:49:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3isgn72i7hpf7skg6leqay7r324znma2ve4vb5izs3uir6utmuwq._file
Verdict:
malicious
Similar samples:
4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8
FormBook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
+ 5'257 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200706-rklfmdtrs6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 2c0eb7d6b07628cc89d7ac5d996217fedfebc54b1d9460bcafd769faa54ccb0d

FormBook

Executable exe da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d

(this sample)

  
Dropped by
MD5 80bb615de2dc2c60dab67b3ecac661aa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2c0eb7d6b07628cc89d7ac5d996217fedfebc54b1d9460bcafd769faa54ccb0d
Cape
Cape
https://www.capesandbox.com/analysis/20967/

Comments