MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4
SHA3-384 hash: d802bccde8baf6a0645cea0126aa94fe287048a7d2d1228e0df7761ebd04d7082b021247335b0ca5b7f0983fd1f8bc09
SHA1 hash: bf31d7905e28e9ab32348471bb7a497d82c6aff7
MD5 hash: 0f594997983db981f447a2ee5d640129
humanhash: social-wolfram-lemon-mexico
File name:MFC PROJECT DETAILS.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:415'744 bytes
First seen:2020-06-30 06:30:31 UTC
Last seen:2020-06-30 07:45:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:zjSyXYeYVOQF6aoNyYW7jVqYmbhC/H8d:tXlY14vj40YmQ/8
Threatray 2'237 similar samples on MalwareBazaar
TLSH 5C94AE5637F88954D33FAF79BBA2420AC271E117ED8AE70D0C0DE5EA5863750990339B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: no-reverse-dns-configured.com
Sending IP: 94.102.50.162
From: "Kyung Jae, Kim" <info@lnpglobalcoorp.com>
Reply-To: groupreservation47@inbox.ru
Subject: RFQ For MFC Project PO (Purchase Order) Project materials, machinery and equipment
Attachment: MFC PROJECT DETAILS.img (contains "MFC PROJECT DETAILS.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16824/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43411751.29282.3821.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 00:49:46 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tfjmxnxz7kzis25nebphepzd56dtfexhfk7fl4xvepmcruxptca._file
Verdict:
malicious
Similar samples:
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
FormBook
cfc1cfcb5119cb196b34e5905578d55e2afd871f2b93f820637e6386168892c5
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
f0013d1d682b7ffb99c5eb489d740a9832cdb4137ca18836a1a87c28726edc23
FormBook
+ 2'227 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200630-bfjep8vhg6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Enumerates system info in registry
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 85cf4a99f4fbc2b9903b6f0a5c63063c06860f171cdb599894c09fdbf8d36e66

FormBook

Executable exe f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4

(this sample)

  
Dropped by
MD5 93f7735a8e5f5fca495f4492d2c02c2b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 85cf4a99f4fbc2b9903b6f0a5c63063c06860f171cdb599894c09fdbf8d36e66
Cape
Cape
https://www.capesandbox.com/analysis/16824/

Comments