MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153
SHA3-384 hash: 208932c7acae0605af935866afb3e516be86ef54ca7e422b57b9f7d302f3ca4ce48b5c2123dc95ce4595063295b44610
SHA1 hash: d2a9d61f4e19f6a0a1b79463ac00e06f02c0e9db
MD5 hash: fb13e3dcc3c273bb12dcd78ad2dc6ab1
humanhash: quiet-lion-nine-steak
File name:specification pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:635'906 bytes
First seen:2020-07-06 06:24:05 UTC
Last seen:2020-07-06 06:38:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7a6667308868eb5622c328a0adcf08f (3 x FormBook, 1 x RemcosRAT, 1 x Loki)
ssdeep 12288:xyiFoineGN96o8EsM7/DQY8S0UuYzV9i0Lv6F:xDQGN91j7rt+UuYzVXLv6F
Threatray 5'111 similar samples on MalwareBazaar
TLSH 44D4AF61F2D24537C1671A3DCC5BA7B8A829BF512E2824475FE53D0C5F39382392AD93
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server162.net218.intbildns.org
Sending IP: 185.126.218.162
From: donghanhviet@donghanhviet.com.vn
Reply-To: donghanhviet@donghanhviet.com.vn
Subject: Re: Noze of Disptach-- your order PBS-9660003 -- ISS Q7458-A-R0
Attachment: specification pdf.zip (contains "specification pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
2'730
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20790/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/383242
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 243770 Sample: preslikavanje.exe Startdate: 07/07/2020 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Sigma detected: Steal Google chrome login data 2->57 59 4 other signatures 2->59 10 preslikavanje.exe 14 2->10         started        process3 dnsIp4 49 googlehosted.l.googleusercontent.com 172.217.18.161, 443, 49725 GOOGLEUS United States 10->49 51 doc-0k-8o-docs.googleusercontent.com 10->51 71 Writes to foreign memory regions 10->71 73 Allocates memory in foreign processes 10->73 75 Creates a thread in another existing process (thread injection) 10->75 77 Injects a PE file into a foreign processes 10->77 14 ieinstal.exe 10->14         started        signatures5 process6 signatures7 79 Modifies the context of a thread in another process (thread injection) 14->79 81 Maps a DLL or memory area into another process 14->81 83 Sample uses process hollowing technique 14->83 85 Queues an APC in another process (thread injection) 14->85 17 explorer.exe 3 14->17 injected process8 dnsIp9 43 www.shycedu.com 156.242.159.206, 49730, 49731, 49732 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->43 45 www.wwwjinsha155.com 17->45 47 2 other IPs or domains 17->47 61 System process connects to network (likely due to code injection or exploit) 17->61 21 help.exe 1 19 17->21         started        25 ieinstal.exe 17->25         started        27 ieinstal.exe 17->27         started        signatures10 process11 file12 35 C:\Users\user\AppData\...\LKNlogrv.ini, data 21->35 dropped 37 C:\Users\user\AppData\...\LKNlogri.ini, data 21->37 dropped 39 C:\Users\user\AppData\...\LKNlogrf.ini, data 21->39 dropped 63 Detected FormBook malware 21->63 65 Tries to steal Mail credentials (via file access) 21->65 67 Tries to harvest and steal browser information (history, passwords, etc) 21->67 69 3 other signatures 21->69 29 cmd.exe 2 21->29         started        signatures13 process14 file15 41 C:\Users\user\AppData\Local\Temp\DB1, SQLite 29->41 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 29->87 33 conhost.exe 29->33         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-07-05 23:51:01 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5j2x2uajwr44cfxyrbth72ib5uoc6vuh2jwnmeo7feuyyf2ssfjq._file
Verdict:
malicious
Similar samples:
35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5
FormBook
45a1bb88d5e48989369b90d346c9d706a24c8b1205c4358b6a3bda278aeee6cf
FormBook
609d299d6ea139c7d7e659274e10c9ed230b832caba065d352738a18db41b638
FormBook
65463a82bb20ec1f2d53e93c9e51538d55fff2844c746afc36e7a1c43cce36e4
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
9392304274014d5807d5a2271486ea5a72143d7a1214ecc1b59b1626dfc3ba64
FormBook
aa920a28098387bcdcca0c6e2b668a94b49b1ba5ab1129b27da5a42c4f645ca3
FormBook
c0307fdf9dcf72e69b33cb4327608c3d27bc5a26ce4552a1eae074f2557482dc
FormBook
d15bb0b2e07a91123300b30b6b7f26774e873a7bbbf677cdfd1a7c9547a1e353
FormBook
e01b79e0c73e76e98ddca8c03d801e1742eeb3fec251b17162ef899332a12963
FormBook
+ 5'101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200706-fc83sxrhfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds Run entry to policy start application
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 023e360fe946d94c75b1e635679abf6fd80e80e899adb8919ce49ef7be777cd7

FormBook

Executable exe ea757d5009b479c116f888667fe901ed1c2f5687d26cd611df29298c17529153

(this sample)

  
Dropped by
MD5 52876aedc7776583bb01d658ac902e57
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 023e360fe946d94c75b1e635679abf6fd80e80e899adb8919ce49ef7be777cd7
Cape
Cape
https://www.capesandbox.com/analysis/20790/

Comments