MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcc87c12c79a23f56317d6c64ec18a73bf66fac8aede9d29e538cf6c4497fd5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcc87c12c79a23f56317d6c64ec18a73bf66fac8aede9d29e538cf6c4497fd5e
SHA3-384 hash: fb0dcf68baad6949cae8d9bfe6fad2bcfe178a39e61ea7f76424cfe8889eb5fb4ae01eae9b1e2092731556a5717d6476
SHA1 hash: 3b4bbf4da21a53b79d0ee3ae22ae81bc61e74222
MD5 hash: 55b94d509067b4b941b21b17bb5a6770
humanhash: washington-batman-dakota-autumn
File name:Revised BL.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:264'704 bytes
First seen:2020-08-03 13:54:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:Xq9/e0ErtHEGfYZ8nmDr31LaGabP964he8LhjRuDi5z:Xq9mbrtkajQrtQbLheSjRV5
Threatray 4'543 similar samples on MalwareBazaar
TLSH ED44C06BF7D9C17DF7AE2274A97703A5436856453382EFA36788F40A7E033842E02756
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

From: info@robartinternational.nl
Subject: RE: Revised BL
Attachment: Revised BL.zip (contains "Revised BL.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37908/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
Creating a window
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408056
Signature
Benign windows process drops PE files
Detected FormBook malware
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256273 Sample: Revised BL.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 73 www.kingcash.money 2->73 75 www.cafecondani.com 2->75 77 ext-sq.squarespace.com 2->77 105 Malicious sample detected (through community Yara rule) 2->105 107 Yara detected FormBook 2->107 109 Machine Learning detection for sample 2->109 111 4 other signatures 2->111 11 Revised BL.exe 4 2->11         started        signatures3 process4 file5 67 C:\Users\user\s.exe, PE32 11->67 dropped 69 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 11->69 dropped 71 C:\Users\user\s.exe:Zone.Identifier, ASCII 11->71 dropped 129 Maps a DLL or memory area into another process 11->129 131 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->131 15 RegAsm.exe 11->15         started        18 Revised BL.exe 11->18         started        signatures6 process7 signatures8 133 Modifies the context of a thread in another process (thread injection) 15->133 135 Maps a DLL or memory area into another process 15->135 137 Sample uses process hollowing technique 15->137 139 2 other signatures 15->139 20 explorer.exe 3 6 15->20 injected 25 Revised BL.exe 18->25         started        27 RegAsm.exe 18->27         started        29 RegAsm.exe 18->29         started        31 3 other processes 18->31 process9 dnsIp10 79 netgrowthstrategies.com 198.54.126.34, 49743, 49744, 49745 NAMECHEAP-NETUS United States 20->79 81 www.digitalassets.network 217.26.60.118, 49746, 49747, 49748 HOSTPOINT-ASCH Switzerland 20->81 83 5 other IPs or domains 20->83 65 C:\Users\user\AppData\...\taskhoste6whsr5.exe, PE32 20->65 dropped 113 System process connects to network (likely due to code injection or exploit) 20->113 115 Benign windows process drops PE files 20->115 33 msiexec.exe 1 17 20->33         started        37 colorcpl.exe 20->37         started        39 netsh.exe 20->39         started        45 5 other processes 20->45 117 Maps a DLL or memory area into another process 25->117 41 Revised BL.exe 25->41         started        43 RegAsm.exe 25->43         started        119 Modifies the context of a thread in another process (thread injection) 27->119 121 Sample uses process hollowing technique 27->121 file11 signatures12 process13 file14 61 C:\Users\user\AppData\...\LL-logrv.ini, data 33->61 dropped 63 C:\Users\user\AppData\...\LL-logri.ini, data 33->63 dropped 91 Detected FormBook malware 33->91 93 Tries to steal Mail credentials (via file access) 33->93 95 Tries to harvest and steal browser information (history, passwords, etc) 33->95 47 cmd.exe 1 33->47         started        97 Tries to detect virtualization through RDTSC time measurements 37->97 99 Maps a DLL or memory area into another process 41->99 49 Revised BL.exe 41->49         started        52 RegAsm.exe 41->52         started        101 Modifies the context of a thread in another process (thread injection) 43->101 103 Sample uses process hollowing technique 43->103 54 conhost.exe 45->54         started        signatures15 process16 signatures17 56 conhost.exe 47->56         started        85 Maps a DLL or memory area into another process 49->85 58 RegAsm.exe 49->58         started        87 Modifies the context of a thread in another process (thread injection) 52->87 89 Sample uses process hollowing technique 52->89 process18 signatures19 123 Modifies the context of a thread in another process (thread injection) 58->123 125 Maps a DLL or memory area into another process 58->125 127 Sample uses process hollowing technique 58->127
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcc87c12c79a23f56317d6c64ec18a73bf66fac8aede9d29e538cf6c4497fd5e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 13:05:00 UTC
AV detection:
37 of 46 (80.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3tehyewhtir7kyyx23de5qmkoo7wn6wiv3pj2kpfhdhwyrex7vpa._file
Verdict:
malicious
Similar samples:
370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
978c093646d8ac97741d907d1737e285038f7c9d0ff6e44fcd7c6b39bcbe38fe
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e
FormBook
+ 4'533 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200803-xr3lzm7pp6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Drops startup file
Adds policy Run key to start application
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcc87c12c79a23f56317d6c64ec18a73bf66fac8aede9d29e538cf6c4497fd5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 925d6ad31280537a845ae3b41b7379eb6ad5a5a631a8430272439aad3699a5f0

FormBook

Executable exe dcc87c12c79a23f56317d6c64ec18a73bf66fac8aede9d29e538cf6c4497fd5e

(this sample)

  
Dropped by
MD5 9cdfa1d1b297448f6b1c64567976380b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37908/
  
Dropped by
SHA256 925d6ad31280537a845ae3b41b7379eb6ad5a5a631a8430272439aad3699a5f0

Comments