MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da4647425789cc5a32d2719815367c8c21d2279a77a3179e609e1db9844ef15a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 2 Comments

SHA256 hash: da4647425789cc5a32d2719815367c8c21d2279a77a3179e609e1db9844ef15a
SHA3-384 hash: 0a6d56ecfa16919425b35c639fc38d67f23508b7fbc903a70d0018da625c135703518dd617b1a6a5179a2ca010644976
SHA1 hash: 6b9e35f3131fdc4bd8ea66cd44303cb1004b2019
MD5 hash: 7af33570ec886974f5513b46e999b988
humanhash: speaker-ten-beer-eight
File name:qkuriw.jpg
Download: download sample
Signature FormBook
File size:186'368 bytes
First seen:2020-07-31 10:23:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:zWmJPkGyrdz62Wpm2bkKZbys7tSP4LXRd/chPpL1Yn6XGlk:z8ZN2kKZOVQLXRd/kV1yjm
TLSH 4B04AE36DA42C031E1B251B5F67D1B7B483D0E343254A0EAA3E52AE16FE48E5F52931F
Reporter @abuse_ch
Tags:exe FormBook


Twitter
@abuse_ch
Malspam distributing FormBook:

HELO: cloudhost-150218.us-midwest-1.nxcli.net
Sending IP: 104.207.254.25
From: Mr. Engin TOPTAS <procurement_company@europe.com>
Subject: Confirmation of samples
Attachment: bin 1.xls

FormBook payload URL:
https://a.uguu.se/qkuriw.jpg

Intelligence


File Origin
# of uploads :
1
# of downloads :
34
Origin country :
CH CH
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Detected FormBook malware
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 02:20:50 UTC
AV detection:
31 of 31 (100.00%)
Threat level
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
rat family:formbook
Behaviour
Formbook Payload
Formbook family
Threat name:
Eldorado
Score:
0.90

Yara Signatures


Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe da4647425789cc5a32d2719815367c8c21d2279a77a3179e609e1db9844ef15a

(this sample)

Comments