MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1
SHA3-384 hash: 0ec605b2dbea87b0deec1ec16669e7a84bde06b113e30c655f1a2656872d5f20002f820c3046cf28d36984a2f045e7fc
SHA1 hash: 99671915c1e4a6316242e06dcb1398d4152d57fc
MD5 hash: 5e2a18631c1939da9714b50ad9b7d714
humanhash: seven-mars-ink-princess
File name:Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:465'920 bytes
First seen:2020-07-09 18:27:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:bzwQU+Hg8Tk3nk0jskko0kkTmZjJU+Hg8Tk3nk0jskko0kkTmZj4BJVHbbvtIQ7a:7UB5JUB54BTlI0cQy
Threatray 5'325 similar samples on MalwareBazaar
TLSH 1CA4CEFE3254576BC82AB175846AC23643713C17A440E2467ACDFF8B34F3FA7412669A
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: slot0.strusasu.com
Sending IP: 45.95.169.147
From: Mhd. Faisal Alnus<Ralf.Heidecke@allsta.com>
Reply-To: sales36.foodchem@yandex.com
Subject: AW:AW: Profoma
Attachment: Invoice39993003993.rar (contains "Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24058/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 18:29:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nswpykrbix34sggidnps2ydahpq5fu3bhj3xwgnecj6sgld56yq._file
Verdict:
malicious
Similar samples:
263462d86535967bddee75eed15d3e069942b2bc839102bc5afd4b4ea69ab9bf
FormBook
3de57656bc920af6ada5c995391e33546524ec7acd4e9182364dfcaf84b3b8a3
FormBook
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
FormBook
48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
FormBook
4b4c8b74b632893033dfa8d4099db76155f6941ab5a63ba7c5a680168ad73b1b
FormBook
8255284fa792c767fd2464364f12f297fa92a38383d2303d7cf9dcb8b74bdfa5
FormBook
931de7a667086f50575388e97d16c318682f63c8ba9d044aa006abc6e26f2862
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
FormBook
f0a859474803c2ba7687f71bdc33ed9296ef1a18920d6c3fb425fc30ae266826
FormBook
+ 5'315 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200709-rd9yfpjp5s/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar b3cf2b45788bcb78ef7d3842eb1879c79d9d08f13e9317bb3003e07fbe3b2d32

FormBook

Executable exe eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1

(this sample)

  
Dropped by
MD5 5d52ac790f3cfcce5a0f932953b1c5cb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24058/
  
Dropped by
SHA256 b3cf2b45788bcb78ef7d3842eb1879c79d9d08f13e9317bb3003e07fbe3b2d32

Comments