MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352
SHA3-384 hash: 777162c5ced79bcf9140a710ce59c4a711226c293960e9bfb572c2e095078a4c8d73d28222840943f8196ea352fe1f98
SHA1 hash: ad695da24c39e93f48eaf5163d50c6dcdb0fd8b9
MD5 hash: 338956b2ec1b68073bb89020b0ce9bbd
humanhash: ack-beryllium-east-beer
File name:uuzz.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:479'232 bytes
First seen:2020-07-22 06:02:13 UTC
Last seen:2020-07-22 07:14:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:fMHzD1pY8qSyRw6TB4FumwYCL241qGftrWzxglwb8lFSZwZuMUg9UBV:826FNtCL33tazxrZeOV
Threatray 5'196 similar samples on MalwareBazaar
TLSH 48A47B10E7F88AD9E3BA17BDE460404087B4B50AA7EAE75D1B91F4ED1822750CB13F67
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30731/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.60237.17009.4753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394320
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249536 Sample: uuzz.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 43 www.rjhvac.com 2->43 45 rjhvac.com 2->45 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected FormBook 2->53 55 Modifies the prolog of user mode functions (user mode inline hooks) 2->55 11 uuzz.exe 5 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\uuzz.exe.log, ASCII 11->35 dropped 14 RegSvcs.exe 11->14         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 2 other signatures 14->71 17 explorer.exe 14->17 injected process8 dnsIp9 37 cascosps4.com 216.246.112.153, 49717, 80 SERVERCENTRALUS United States 17->37 39 www.vdfmi.info 17->39 41 2 other IPs or domains 17->41 47 System process connects to network (likely due to code injection or exploit) 17->47 21 cscript.exe 1 18 17->21         started        signatures10 process11 file12 29 C:\Users\user\AppData\...\277logrv.ini, data 21->29 dropped 31 C:\Users\user\AppData\...\277logri.ini, data 21->31 dropped 33 C:\Users\user\AppData\...\277logrf.ini, data 21->33 dropped 57 Detected FormBook malware 21->57 59 Tries to steal Mail credentials (via file access) 21->59 61 Tries to harvest and steal browser information (history, passwords, etc) 21->61 63 3 other signatures 21->63 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 06:04:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jv7odennkcrr52ctwdkkimzuzchmgboadadht52lf5azz5asnja._file
Verdict:
malicious
Similar samples:
0707523c23666b0535673287616ea82b34e810594ddf19c45a0746d1bd697070
FormBook
0725fa234dd7f9bdcbcd0eef96c79017200f5c27676e4126a00c6d33e6601a5a
FormBook
37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728
FormBook
38ac4538725c959e9c2b280e4838ed511a2d4d4339a2be5ba91fe1fb5ec76545
FormBook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
FormBook
8114e5e30720952dbf0515a5f3801c7c0ef51844758e25b100b768a29c01155a
FormBook
a4cfc3715bff5df4b930adfd46eda975666cafebd5e538910680f44d105170a3
FormBook
bef21badc9c82be3a2446c61d67213addd54b665d17c4b75b64ec8d9558034f5
FormBook
c3aa64f063330b257fdd6f3d0dd8479b3a4877140b771b4ccf3cae4e10ffe4e9
FormBook
f626ac44e4d6711e2b2a128fbde9bebf2a8b7c66d7161376993d3252c16dd083
FormBook
+ 5'186 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-q2gf8fs612/
Behaviour
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea6bf70c8d6a8518f7429d86a52199a64476182e00c033cfba597a0ce7a09352

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/30731/
  
URLhaus
https://urlhaus.abuse.ch/url/417675/

Comments