MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328
SHA3-384 hash: cb6dd23224bec7e383bd68145db77ebb2a80feef5f2d734e6f7d4418fdcde6262eeabe9873ce87834cd205ab636c6993
SHA1 hash: 159a9b6ab697f8c8e48594853b2fbc35cc5efb7d
MD5 hash: c1ea9581bc4c556d9d9ef2979d09bdff
humanhash: harry-whiskey-saturn-beer
File name:invoice (2).exe
Download: download sample
Signature FormBook
Create hunting rule
File size:399'872 bytes
First seen:2020-07-22 08:35:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:50XrG4n5QISI92GhNCr9/d/HPE95Og0/9Z2g/i37C7JnBI5RgJl57i:+XrG4SISI92iNog5zp3IBILgJL7i
Threatray 5'011 similar samples on MalwareBazaar
TLSH 6784BE11E7F447E9EBA847B9E422114097B9691E67EAE30D6F95F0DC0932B404723F2B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mboronin.pw
Sending IP: 104.168.204.63
From: David <lr@mboronin.pw>
Reply-To: roadtriip25@gmail.com
Subject: INVOICE
Attachment: invoice 2.gz (contains "invoice (2).exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30945/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.34213945.10497.6734.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394716
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249764 Sample: invoice (2).exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 55 www.attitudeandsassboutique.com 2->55 57 attitudeandsassboutique.com 2->57 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 8 other signatures 2->79 11 invoice (2).exe 3 2->11         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\invoice (2).exe.log, ASCII 11->51 dropped 95 Injects a PE file into a foreign processes 11->95 15 invoice (2).exe 11->15         started        signatures6 process7 signatures8 97 Modifies the context of a thread in another process (thread injection) 15->97 99 Maps a DLL or memory area into another process 15->99 101 Sample uses process hollowing technique 15->101 103 Queues an APC in another process (thread injection) 15->103 18 explorer.exe 1 6 15->18 injected process9 dnsIp10 59 www.sademetellus.com 74.208.236.218, 49721, 49722, 49723 ONEANDONE-ASBrauerstrasse48DE United States 18->59 61 backreads.com 34.102.136.180, 49720, 80 GOOGLEUS United States 18->61 63 3 other IPs or domains 18->63 43 C:\Users\user\AppData\...\epyxnhtwhb0wxi.exe, PE32 18->43 dropped 81 System process connects to network (likely due to code injection or exploit) 18->81 83 Benign windows process drops PE files 18->83 23 mstsc.exe 1 19 18->23         started        27 epyxnhtwhb0wxi.exe 3 18->27         started        29 WWAHost.exe 18->29         started        file11 signatures12 process13 file14 45 C:\Users\user\AppData\...\84-logrv.ini, data 23->45 dropped 47 C:\Users\user\AppData\...\84-logri.ini, data 23->47 dropped 49 C:\Users\user\AppData\...\84-logrf.ini, data 23->49 dropped 85 Detected FormBook malware 23->85 87 Tries to steal Mail credentials (via file access) 23->87 89 Tries to harvest and steal browser information (history, passwords, etc) 23->89 93 2 other signatures 23->93 31 cmd.exe 2 23->31         started        35 cmd.exe 1 23->35         started        37 epyxnhtwhb0wxi.exe 27->37         started        91 Tries to detect virtualization through RDTSC time measurements 29->91 signatures15 process16 file17 53 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->53 dropped 65 Tries to harvest and steal browser information (history, passwords, etc) 31->65 39 conhost.exe 31->39         started        41 conhost.exe 35->41         started        67 Modifies the context of a thread in another process (thread injection) 37->67 69 Maps a DLL or memory area into another process 37->69 71 Sample uses process hollowing technique 37->71 signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:37:09 UTC
AV detection:
33 of 46 (71.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6msqwgwji4frrncnrrszdqrhs6qypqnkakzwiwb65vnmwjk7amua._file
Verdict:
malicious
Similar samples:
0b3026ef214d1740de18fa48e13d8c5bddf67737a33fc07eabe0281f88f2ff5d
FormBook
0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994
FormBook
261d9ecea1cd1ff4247b59e2d8f2d8ba4484811be97c1cad06f236dadf494139
FormBook
3e74b741a68d703cb4546e9ba5478df630079762b2d3ae2d6adce1d77ab8e132
FormBook
474af782fd84f7b982a4c49deeaf3431aeadd1e52528dc7dd8e3bb29bde9c40f
FormBook
4883c17b319dd863b75676586e283a6065e70e3f99e4264b167030aa9fec05d8
FormBook
6769e022c41fa821b705a29415f8ffd4be0fc7dc2619ef595e436637f849c0cd
FormBook
7654e7f6d4c0f38e9f771bf4c6d002b6e816d169afcabee3f028081a25b25506
FormBook
77be23825e937be7c4e100dd70233848523702b85fe2c5e622aa383748ac8e8a
FormBook
c2496731ce3417b90e7720b614d98a3ab2e9d8100ed2c5bea05525d5730241aa
FormBook
+ 5'001 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan persistence stealer family:formbook
Link:
https://tria.ge/reports/200722-psl2sh4vn6/
Behaviour
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz 958b3c96174efd2ab1335863e7a5cf0249493e8668d63bae5032b6920416e2c5

FormBook

Executable exe f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328

(this sample)

  
Dropped by
MD5 2be28724421457c95d029d0eaa605ee8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30945/
  
Dropped by
SHA256 958b3c96174efd2ab1335863e7a5cf0249493e8668d63bae5032b6920416e2c5

Comments