MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed3e93996b60fbaeb82c59f62dc3dcee809b229748ad7772829a8f738e307cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed3e93996b60fbaeb82c59f62dc3dcee809b229748ad7772829a8f738e307cbd
SHA3-384 hash: 1e6f017acb6480ad7ed64f52f485b6084ae10d747b0bf42d69a46d5febef8b4995e2a6368674f49a2d30b681821cbc8c
SHA1 hash: 4b50390ca5a29ba13f72978bb91de02c43f3b8b3
MD5 hash: ee3eced471840bfc6d2e4648540421ad
humanhash: may-uniform-foxtrot-nine
File name:INV20201607PO0093.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:481'280 bytes
First seen:2020-07-16 10:39:54 UTC
Last seen:2020-07-16 12:08:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:olJPth2k4zUlVHvM8Yr/WVFDR7ZkHf4lzi3rA+nO8z:4J1N1vLVkAl
Threatray 4'851 similar samples on MalwareBazaar
TLSH F0A47BDC3510719EC85F8C768964DC30AA202C66F7FBE20663C36E9F793D596DE052A2
Reporter abuse_ch
Tags:COVID-19 exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vps.salvus.co.id
Sending IP: 103.247.11.44
From: Samuel Karow <info@meritideas.com>
Reply-To: info@dennisbearman.com
Subject: Re: COVID -19 Urgent Order Request
Attachment: INV20201607PO0093.img (contains "INV20201607PO0093.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26694/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.16953.24442.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389563
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246970 Sample: INV20201607PO0093.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 30 www.rbrbrasil.com 2->30 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 4 other signatures 2->44 11 INV20201607PO0093.exe 1 2->11         started        signatures3 process4 file5 28 C:\Users\user\...\INV20201607PO0093.exe.log, ASCII 11->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 11->52 15 INV20201607PO0093.exe 11->15         started        signatures6 process7 signatures8 54 Modifies the context of a thread in another process (thread injection) 15->54 56 Maps a DLL or memory area into another process 15->56 58 Sample uses process hollowing technique 15->58 60 Queues an APC in another process (thread injection) 15->60 18 explorer.exe 15->18 injected process9 dnsIp10 32 www.skrydz.ink 18->32 34 www.pc1l.com 18->34 36 www.ehomeinspirez.com 18->36 21 NETSTAT.EXE 18->21         started        process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ed3e93996b60fbaeb82c59f62dc3dcee809b229748ad7772829a8f738e307cbd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 10:41:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5u7jhgllmd525obmlh3c3q6452ajwiuxjcwxo4uctkhxhdrqps6q._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
14bbd0cd681c1501f814ac5e7a4dc9b627bf410990edc77cf10ada83cd106d94
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
FormBook
bc05e8f15eaccce53aa6946738f82b2c7f66cb876a2c20c5a77ab3eb2e900d77
FormBook
c3aa64f063330b257fdd6f3d0dd8479b3a4877140b771b4ccf3cae4e10ffe4e9
FormBook
cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
FormBook
+ 4'841 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-amk8xmf5ej/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img d1d1862256177598bc2d10a2f6a694726204066eb6ad7f827cc59eef105e21e8

FormBook

Executable exe ed3e93996b60fbaeb82c59f62dc3dcee809b229748ad7772829a8f738e307cbd

(this sample)

  
Dropped by
MD5 beb5ec46be280dabfe0b6a4034ebfb73
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d1d1862256177598bc2d10a2f6a694726204066eb6ad7f827cc59eef105e21e8
Cape
Cape
https://www.capesandbox.com/analysis/26694/

Comments