MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb0ebc1f45c4de45babb921e77c6f9d3e62c9071fd5713f6ecc064f6784fe6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcb0ebc1f45c4de45babb921e77c6f9d3e62c9071fd5713f6ecc064f6784fe6e
SHA3-384 hash: 4ed7dd94969d481873a86523eff6f302508e98cd14b96d8a539736e3a5b100ed905cb25c8ec76185bdefbf1453472c91
SHA1 hash: ca5d945fcff7f3adb5949cb0f8d0253b9a7c7db6
MD5 hash: ee365648caca5627d93dba1bc292b33a
humanhash: five-alabama-black-neptune
File name:aps.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:458'649 bytes
First seen:2020-07-29 05:44:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:pPCganN74fDTlAjf57A42sRkjK+Q91fi1cb5NGejQXYr+fN7C0tU+OnwpG:nanZse9AQy+Nzb5gpY6Rq+NpG
Threatray 5'541 similar samples on MalwareBazaar
TLSH D6A4236F130CF8BBD11544F2296AA32E7F90E5048296224F4B8F354A37DFA5E492F785
Reporter oppimaniac
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34169/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401253
Signature
Benign windows process drops PE files
Creates autostart registry keys with suspicious names
Detected FormBook malware
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252860 Sample: aps.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 62 www.bobsvideos.net 2->62 64 g.msn.com 2->64 66 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->66 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 2 other signatures 2->84 12 aps.exe 71 2->12         started        15 wuapihost.exe 2->15         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\SkateJockstrap.dll, PE32 12->50 dropped 52 C:\Users\user\AppData\Roaming\...\editbin.exe, PE32+ 12->52 dropped 54 C:\Users\user\...\MicrosoftVisualStudioUI.dll, PE32 12->54 dropped 56 15 other files (none is malicious) 12->56 dropped 17 rundll32.exe 12->17         started        process6 signatures7 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->72 74 Hijacks the control flow in another process 17->74 76 Maps a DLL or memory area into another process 17->76 20 cmd.exe 17->20         started        process8 signatures9 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->86 88 Modifies the context of a thread in another process (thread injection) 20->88 90 Maps a DLL or memory area into another process 20->90 92 3 other signatures 20->92 23 explorer.exe 2 6 20->23 injected process10 dnsIp11 68 www.bulicafe.com 104.24.124.63, 49737, 49738, 49739 CLOUDFLARENETUS United States 23->68 70 www.soensan.com 172.67.136.118, 49736, 80 CLOUDFLARENETUS United States 23->70 48 C:\Users\user\AppData\...\4hvhubm8p3du.exe, PE32 23->48 dropped 94 System process connects to network (likely due to code injection or exploit) 23->94 96 Benign windows process drops PE files 23->96 98 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 23->98 28 cscript.exe 1 17 23->28         started        32 4hvhubm8p3du.exe 1 23->32         started        34 4hvhubm8p3du.exe 1 23->34         started        36 4hvhubm8p3du.exe 1 23->36         started        file12 signatures13 process14 file15 58 C:\Users\user\AppData\...\-MRlogrv.ini, data 28->58 dropped 60 C:\Users\user\AppData\...\-MRlogri.ini, data 28->60 dropped 100 Detected FormBook malware 28->100 102 Tries to steal Mail credentials (via file access) 28->102 104 Creates autostart registry keys with suspicious names 28->104 106 4 other signatures 28->106 38 cmd.exe 1 28->38         started        40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 36->44         started        signatures16 process17 process18 46 conhost.exe 38->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcb0ebc1f45c4de45babb921e77c6f9d3e62c9071fd5713f6ecc064f6784fe6e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 05:46:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3syoxqpulrg6iw5lxeq6o7dptu7gfsihd7kxcp3ozqde6z4e7zxa._file
Verdict:
malicious
Similar samples:
1789be535367afa0097be7d9ef6c90523df01d10e40b712ed0ead826b46e99e1
FormBook
35581eb6b7b958bfd5a21f192571f5adeeac39295de4ce29bc16bbb57480ae80
FormBook
50e217d5fb7b641b16f5a7f04d830f60e35720c81ae8010981c4c096751a6268
FormBook
70d577aba943b783ec606abcfa912bf97c9fd4f22d5e46ff1d718d350a8e4fcc
FormBook
9b330bb1491b230182ada7cd439a91edbf552bae7494a2ce6ebf55726660b086
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
a86e34d719bb89e503654d8820335b0bc9e742c609353915a5634d89876f88d6
FormBook
b3349406861e76bfb84f4757a646c3fe94eb5e1cd27abeeffa48aabb6c8fa4d5
FormBook
dc9313eb1e94d26aae9ad9f8e5310589092b1a29f0436017417c3ad3e4f42e0d
FormBook
df914069e95c673b5d02b806aba18f932a8f1b745cfd98fcba0189c030dfaec0
FormBook
+ 5'531 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200729-wwjj2pmp3j/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcb0ebc1f45c4de45babb921e77c6f9d3e62c9071fd5713f6ecc064f6784fe6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe dcb0ebc1f45c4de45babb921e77c6f9d3e62c9071fd5713f6ecc064f6784fe6e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/34169/
  
URLhaus
https://urlhaus.abuse.ch/url/421251/
  
Delivery method
Distributed via web download

Comments