MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec
SHA3-384 hash: 06f8dbf124b51bc63a6677f39a8213739890461cbe7de56b79b551adf1d8c65c76f3aaa34447b463d87ad234f6457fdc
SHA1 hash: 26779f8b750e02de2757a438aae2888e7828db9b
MD5 hash: 0679f7b72bd236baf2532eb18adc2ffc
humanhash: princess-may-echo-fix
File name:ZHANG 2109374.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:585'728 bytes
First seen:2020-08-08 08:17:33 UTC
Last seen:2020-08-08 08:55:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZwFKuDX5TAuvQSSVYWVBhL3vDt0aJiLSZd3grpiA35gkJQVSu6b:65cuQ7GW3hL3vDt0aJfAQA3v
Threatray 11'932 similar samples on MalwareBazaar
TLSH 4CC4BE98769DBB8DC0E6CEF505783C00962079975A2AF3472843126D4F1DBC5DA1BBE3
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sonic307-2.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.134.41
From: wellam test-user <t_wellam2@yahoo.com>
Reply-To: t_wellam2@yahoo.com
Subject: HELLO
Attachment: ZHANG 2109374.rar (contains "ZHANG 2109374.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42108/
Detection(s):
SecuriteInfo.com.Variant.Bulz.33632.14857.14797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415778
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 260138 Sample: ZHANG 2109374.exe Startdate: 08/08/2020 Architecture: WINDOWS Score: 100 40 www.skyiti.com 2->40 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Yara detected AntiVM_3 2->52 54 8 other signatures 2->54 9 ZHANG 2109374.exe 7 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Roaming\kbCHzbxDs.exe, PE32 9->32 dropped 34 C:\Users\...\kbCHzbxDs.exe:Zone.Identifier, ASCII 9->34 dropped 36 C:\Users\user\AppData\Local\...\tmp6DC1.tmp, XML 9->36 dropped 38 C:\Users\user\...\ZHANG 2109374.exe.log, ASCII 9->38 dropped 66 Injects a PE file into a foreign processes 9->66 13 ZHANG 2109374.exe 9->13         started        16 schtasks.exe 1 9->16         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 13->68 70 Maps a DLL or memory area into another process 13->70 72 Sample uses process hollowing technique 13->72 74 Queues an APC in another process (thread injection) 13->74 18 explorer.exe 13->18 injected 22 conhost.exe 16->22         started        process9 dnsIp10 42 foxwaterrecycling.com 91.197.231.121, 49745, 49750, 49751 GYRONGB United Kingdom 18->42 44 titleloanslevelland.com 66.198.240.50, 49739, 49740, 49741 A2HOSTINGUS United States 18->44 46 3 other IPs or domains 18->46 56 System process connects to network (likely due to code injection or exploit) 18->56 24 WWAHost.exe 17 18->24         started        signatures11 process12 file13 28 C:\Users\user\AppData\...\J79logrv.ini, data 24->28 dropped 30 C:\Users\user\AppData\...\J79logri.ini, data 24->30 dropped 58 Detected FormBook malware 24->58 60 Tries to steal Mail credentials (via file access) 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 64 3 other signatures 24->64 signatures14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 08:19:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=363ccwek4rqk2vpeyxpvsvqaepd2q4zhzbpshnx3t3rsfrsir3wa._file
Verdict:
malicious
Similar samples:
15ea783eaed5ea26907b2c782e5e201a56f2fe0a76005bb42a0b1ae72fe05c9f
FormBook
22366b7c6e51e58b855a91cc558885c438a34deaa588af13e0601586686e18f3
FormBook
884fbcf398a2c6a229040d209f39e5ca66bf5100f9707cccf0c6f5e3bd6ecb5a
FormBook
9bd3202d7f71a48a80d612198106d7180c0e0350a79c970863ec0cd19cc6b47a
FormBook
a9d16a92fb274086597cf2d55e5d856fda23d865e763e016f35b5eb1de7c95b6
FormBook
c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03
FormBook
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
FormBook
d61447d5653bc8e81c91e487864e2ea56fe6700fa720e4b6b07040c9b50db868
FormBook
f1aa4ffcbf7f690cee6060e9167c395bffe594858bfcc2bdd772a0edf4a23721
FormBook
ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76
FormBook
+ 11'922 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook evasion
Link:
https://tria.ge/reports/200808-ll3kxsnsta/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar f839e0698ba56e6cc35b48db7c13c5863256c6464cc94cec81e21892d6170934

FormBook

Executable exe dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec

(this sample)

  
Dropped by
MD5 800b7b43847d6e86168a16e3b36e0089
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42108/
  
Dropped by
SHA256 f839e0698ba56e6cc35b48db7c13c5863256c6464cc94cec81e21892d6170934

Comments