MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e
SHA3-384 hash: 55ac69820449b79e1c05f45e6f35701df90a4d5614379d79998a1eb35fb483d506f73a2fa8f3255eb2a5cf74a379dfc1
SHA1 hash: 94870526b249acfe3f381387ba0f089c3598424a
MD5 hash: 8a749626808c84035d23f56f95e8c2b8
humanhash: robin-uranus-nevada-music
File name:Advance TT.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:260'608 bytes
First seen:2020-07-30 08:07:27 UTC
Last seen:2020-07-30 11:17:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 3072:sJzKw8m26jLnoef2eM8dIXzukV0zqIqjQfoyesDoPXh96H+PC609W2CpCd+glUYs:a8IoxeMyISkscWGXmeKrW2CpiNUPP3
Threatray 5'007 similar samples on MalwareBazaar
TLSH 6344E0080F68573EE3D717B3BE23237A0B7992963221EACC858535E9ED1839C90D5F56
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

From: info@swt-tools.de
Subject: RE: Advance TT
Attachment: Advance TT.zip (contains "Advance TT.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35404/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Creating a window
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/403366
Signature
Benign windows process drops PE files
Detected FormBook malware
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253914 Sample: Advance TT.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 64 g.msn.com 2->64 72 Malicious sample detected (through community Yara rule) 2->72 74 Yara detected FormBook 2->74 76 Machine Learning detection for sample 2->76 78 4 other signatures 2->78 11 Advance TT.exe 3 2->11         started        signatures3 process4 file5 54 C:\Users\user\s.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 11->56 dropped 58 C:\Users\user\s.exe:Zone.Identifier, ASCII 11->58 dropped 90 Maps a DLL or memory area into another process 11->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->92 15 RegAsm.exe 11->15         started        18 Advance TT.exe 11->18         started        signatures6 process7 signatures8 116 Modifies the context of a thread in another process (thread injection) 15->116 118 Maps a DLL or memory area into another process 15->118 120 Sample uses process hollowing technique 15->120 122 2 other signatures 15->122 20 explorer.exe 4 6 15->20 injected 25 Advance TT.exe 18->25         started        27 RegAsm.exe 18->27         started        process9 dnsIp10 66 www.tokaminerale.com 20->66 68 www.jinshavip74.com 20->68 70 2 other IPs or domains 20->70 52 C:\Users\user\AppData\Local\...\q0f4aybft.exe, PE32 20->52 dropped 80 System process connects to network (likely due to code injection or exploit) 20->80 82 Benign windows process drops PE files 20->82 29 explorer.exe 20->29         started        33 NETSTAT.EXE 20->33         started        35 cmd.exe 20->35         started        37 NETSTAT.EXE 20->37         started        84 Maps a DLL or memory area into another process 25->84 39 Advance TT.exe 25->39         started        41 RegAsm.exe 25->41         started        43 RegAsm.exe 25->43         started        86 Modifies the context of a thread in another process (thread injection) 27->86 88 Sample uses process hollowing technique 27->88 file11 signatures12 process13 file14 60 C:\Users\user\AppData\...\0PRlogrv.ini, data 29->60 dropped 62 C:\Users\user\AppData\...\0PRlogri.ini, data 29->62 dropped 102 Detected FormBook malware 29->102 104 Tries to steal Mail credentials (via file access) 29->104 106 Tries to harvest and steal browser information (history, passwords, etc) 29->106 45 cmd.exe 29->45         started        108 Tries to detect virtualization through RDTSC time measurements 33->108 110 Maps a DLL or memory area into another process 39->110 48 RegAsm.exe 39->48         started        112 Modifies the context of a thread in another process (thread injection) 41->112 114 Sample uses process hollowing technique 41->114 signatures15 process16 signatures17 94 Tries to detect virtualization through RDTSC time measurements 45->94 50 conhost.exe 45->50         started        96 Modifies the context of a thread in another process (thread injection) 48->96 98 Maps a DLL or memory area into another process 48->98 100 Sample uses process hollowing technique 48->100 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 08:09:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=42ysazengwajazaqpr2ryyoxh7ifv3pjrbf6omggbxkp5gsovuha._file
Verdict:
malicious
Similar samples:
370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
978c093646d8ac97741d907d1737e285038f7c9d0ff6e44fcd7c6b39bcbe38fe
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
FormBook
dcc87c12c79a23f56317d6c64ec18a73bf66fac8aede9d29e538cf6c4497fd5e
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
+ 4'997 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200730-6a9ehq53ve/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Gathers network information
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Reads user/profile data of web browsers
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 877df31644a31293d6046a85562fba4298e69598f862c38db8f2c68ca75bf783

FormBook

Executable exe e6b120648d35809064107c751c61d73fd05aede9884be730c60dd4fe9a4ead0e

(this sample)

  
Dropped by
MD5 911ce26eb8199974cd4fa3c1f0ca07ad
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35404/
  
Dropped by
SHA256 877df31644a31293d6046a85562fba4298e69598f862c38db8f2c68ca75bf783

Comments