MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2
SHA3-384 hash: 60934b763ccb3a9c0f99541349733281b261c7cac49ef94a26afce8f7b77781cf2594129c74029160fe88253235090ec
SHA1 hash: d45a2f22186a3b494ef1237028b29eea72cc9cca
MD5 hash: 622dca0ee8175c9a20456d8892d35a80
humanhash: winter-queen-alaska-arizona
File name:Zbicswp.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'008'130 bytes
First seen:2020-07-18 08:51:05 UTC
Last seen:2020-07-18 10:23:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c40d33ed8fbf0d4750a33aed5bec8c1d (1 x AveMariaRAT, 1 x Formbook)
ssdeep 24576:AZGa8OZAhs7wXKmXa3/NoVlz5rtJHpFdvmPn:AZGhm4ZdEn
Threatray 5'140 similar samples on MalwareBazaar
TLSH A925AE33E2714436D2A3557E8C0B66E85827EE4C2858BC557AFE5E894F3C381786E0E7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: w2k12mx04.dc1.ca.ihglobaldns.com
Sending IP: 192.175.105.170
From: Cihan Insurance <s.entezari@chitotech.com>
Reply-To: s.entezari@chitotech.com
Subject: Re:PO/DOC 10940389RN
Attachment: Details.zip (contains "Zbicswp.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27673/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388628
Signature
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246483 Sample: Zbicswp.exe Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 6 other signatures 2->54 10 Zbicswp.exe 2->10         started        process3 dnsIp4 46 cdn.discordapp.com 162.159.135.233, 443, 49732 CLOUDFLARENETUS United States 10->46 64 Writes to foreign memory regions 10->64 66 Creates a thread in another existing process (thread injection) 10->66 68 Injects a PE file into a foreign processes 10->68 14 ieinstal.exe 10->14         started        signatures5 process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Maps a DLL or memory area into another process 14->74 76 Sample uses process hollowing technique 14->76 78 Queues an APC in another process (thread injection) 14->78 17 explorer.exe 3 14->17 injected process8 dnsIp9 42 www.marketbuilders.info 17->42 44 www.invalidlogingacc.com 17->44 20 svchost.exe 1 19 17->20         started        24 ieinstal.exe 17->24         started        26 ieinstal.exe 17->26         started        process10 file11 34 C:\Users\user\AppData\...\3K-logrv.ini, data 20->34 dropped 36 C:\Users\user\AppData\...\3K-logri.ini, data 20->36 dropped 38 C:\Users\user\AppData\...\3K-logrf.ini, data 20->38 dropped 56 Detected FormBook malware 20->56 58 Tries to steal Mail credentials (via file access) 20->58 60 Tries to harvest and steal browser information (history, passwords, etc) 20->60 62 3 other signatures 20->62 28 cmd.exe 2 20->28         started        signatures12 process13 file14 40 C:\Users\user\AppData\Local\Temp\DB1, SQLite 28->40 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 28->70 32 conhost.exe 28->32         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2/
Threat name:
Win32.Trojan.RemcosCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-18 08:53:05 UTC
AV detection:
37 of 48 (77.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6algt7yk6ta3r5hrlgc7v2kmgastp3mk77c3f7qbknczia3cddza._file
Verdict:
malicious
Similar samples:
0efa7703690d3fe9df70c81d7dea974aa710c7c55a76fd50e6a050bc76698d89
Formbook
1940c82d728454e9a43d2efc7dd0033fcbf58880b32d227830e54a43b885ca3c
Formbook
2680be0d6ab364c09e9ca33e93bc0dfa3de6906e014bdb4aafc77ea9caf76650
Formbook
2b8f048a61ef0fcd4a8d4f54cf1a22cf637883aae8b542f981ead6f043f02ffe
Formbook
426a7d5241a207054d695ea06f8133260c2684c5598420954f0fde91a03fe059
Formbook
5e2ceeaf0867b931ec61f6e4c6bd5403e237353eda4816509038fdec470b6ddb
Formbook
74d74e7da724014c17890327f3464b435314f480eb46553723ce0766941b38da
Formbook
8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b
Formbook
97d8ae62cb751e857b04d9eaa68ee2acce3d7243009bdb04639a729cdfc7cbf3
Formbook
cf6bbd5a9224dcd52aa71c16288945611a3348ca9953f32fa92a4c481c307195
Formbook
+ 5'130 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/200718-vfc4gl3ctx/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Script User-Agent
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds policy Run key to start application
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 640e51c25ad0bb091ba9acf6a48e821164ead86439a25be591e749979bb8710b

Formbook

Executable exe f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2

(this sample)

  
Dropped by
MD5 f50bd3c1e5120947fe1b12df62b5f491
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27673/
  
Dropped by
SHA256 640e51c25ad0bb091ba9acf6a48e821164ead86439a25be591e749979bb8710b

Comments