MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf38856854d7a07f62a61ae80205ca9561eb93449224f4903209ec397b9bd4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaf38856854d7a07f62a61ae80205ca9561eb93449224f4903209ec397b9bd4a
SHA3-384 hash: 2717edb539dc1899d6894e7a9b9714856233ac1d0c9c66059551124acfdb133671cecdd6241ebf6638a6113bc25c9332
SHA1 hash: bdfce1c4237d12d816ae0e881e1235fe2783d55e
MD5 hash: 570d23ae0474dcc86293237346c086c7
humanhash: king-fish-oscar-oregon
File name:GIC Malaysia (PV#2020-06-0184).pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:840'704 bytes
First seen:2020-06-25 09:22:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:YsO9O4Fnzn29zbIuSuTky9lLBqb9mEeFKmqIORFo:YsO9O4lnUQDMkyrLwMNFKmaRF
Threatray 5'199 similar samples on MalwareBazaar
TLSH FB05B1B0DA11494CF86D76B3A037CC7D46A76E346520B60E41ECBCB73BB225B981B54B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.beeinspire.com
Sending IP: 115.124.125.172
From: Veronica Yang <veronica.y@uibasia.com>
Subject: RE: Remittance of USD267,502.48 value date 26 Jun 2020 (PV#2020-06-0184)
Attachment: GIC Malaysia PV2020-06-0184.img (contains "GIC Malaysia (PV#2020-06-0184).pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14108/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44022.26029.17820.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eaf38856854d7a07f62a61ae80205ca9561eb93449224f4903209ec397b9bd4a/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lzyqvufjv5ap5rkmgxiaic4vflb5ojujere6sidecpmhf5zxvfa._file
Verdict:
malicious
Similar samples:
07d614e422ec5b2dbd4c0fbe9232bd0e06bc2e910bad7a6f8721eec2a2c608ae
FormBook
2e96f7a6b4dd1d5251af4962a9028aac90c2ceb282495018c2d879ebf583f9ea
FormBook
41519f4cbc28650e8151b62f9a6b9503274a80d6dc51bade4a118812742e63ab
FormBook
7446d879b612cbb16df459967a8b8e9149d2601fe6e62bcf1fe3f3a58ad7d771
FormBook
a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133
FormBook
a5d81b3d4d0df91d286ae0f3db7d166ecd013e8c53d1677be5b149edb9d15d42
FormBook
ae438370eda70ba48a763c526e61b068e16d11cbd00e9cb504d6f1eeb7442d22
FormBook
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
FormBook
dea5303370177b621cdd1fd497396ddaa9e94d3edd1407339f52f0dc85a67046
FormBook
f46ea866a034694bb34ddd4207ae960a5e43390ca9f9ad58daf4d14c42dbbc79
FormBook
+ 5'189 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200625-nzntrsaw9n/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

658a70856bd07677d093dd4b2e289767

FormBook

Executable exe eaf38856854d7a07f62a61ae80205ca9561eb93449224f4903209ec397b9bd4a

(this sample)

  
Dropped by
MD5 658a70856bd07677d093dd4b2e289767
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14108/

Comments