MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9fa0a06495f261c09ee9f5cd1f3e32ed8d05e6cc65ed223adb4bf6c02cc90dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9fa0a06495f261c09ee9f5cd1f3e32ed8d05e6cc65ed223adb4bf6c02cc90dd
SHA3-384 hash: b7476d6390bedab09b88adf3cefb89aa00ad168d718a1b4e10082942bb0ae1b0170d7e9711f2055805330c55aa13d172
SHA1 hash: f9e3f3c058d627275d04059ad305221c38f1bcf9
MD5 hash: b8c2e992eae9d82c4a03159e41783015
humanhash: cat-snake-georgia-floor
File name:Shipping Documents.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:463'872 bytes
First seen:2020-08-14 14:57:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:my0dP/E9Hu7isR06q0SEinxJh4VM4ZSXmsT/C3u5b4GxL4XUha/LF2YsPtUPGYhZ:mw/YGxLfMLF2NUvhgOwDVBG/i3Aq++
Threatray 2'279 similar samples on MalwareBazaar
TLSH 39A4BE3122D85F52E13EABBC5260111013F27925D737DE4EBEB642EA0D66BE1837371A
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.b-io.co
Sending IP: 156.96.59.30
From: ''Support''<supportvietnam@dhl.com>
Subject: Delivery Notification
Attachment: Shipping Documents.zip (contains "Shipping Documents.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46019/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.16509.26761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/430150
Signature
.NET source code contains potential unpacker
Benign windows process drops PE files
Detected FormBook malware
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 267490 Sample: Shipping Documents.exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 53 www.bestworldwatches.com 2->53 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 Yara detected AntiVM_3 2->65 67 10 other signatures 2->67 11 Shipping Documents.exe 7 2->11         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\bCiURHcXsl.exe, PE32 11->41 dropped 43 C:\Users\...\bCiURHcXsl.exe:Zone.Identifier, ASCII 11->43 dropped 45 C:\Users\user\AppData\Local\...\tmp22C4.tmp, XML 11->45 dropped 47 C:\Users\user\...\Shipping Documents.exe.log, ASCII 11->47 dropped 73 Injects a PE file into a foreign processes 11->73 15 Shipping Documents.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 Shipping Documents.exe 11->20         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Sample uses process hollowing technique 15->87 89 Queues an APC in another process (thread injection) 15->89 22 explorer.exe 1 6 15->22 injected 27 conhost.exe 18->27         started        process9 dnsIp10 55 www.maidonline.net 91.195.240.45, 49738, 80 SEDO-ASDE Germany 22->55 57 ext-cust.squarespace.com 198.185.159.145, 49739, 49740, 49741 SQUARESPACEUS United States 22->57 59 www.makethebreastpumpnotsuck.com 22->59 39 C:\Users\user\AppData\...\-zu83xl87nd0qpj.exe, PE32 22->39 dropped 69 System process connects to network (likely due to code injection or exploit) 22->69 71 Benign windows process drops PE files 22->71 29 explorer.exe 1 17 22->29         started        33 -zu83xl87nd0qpj.exe 3 22->33         started        file11 signatures12 process13 file14 49 C:\Users\user\AppData\...\JK6logrv.ini, data 29->49 dropped 51 C:\Users\user\AppData\...\JK6logri.ini, data 29->51 dropped 75 Detected FormBook malware 29->75 77 Tries to steal Mail credentials (via file access) 29->77 79 Tries to harvest and steal browser information (history, passwords, etc) 29->79 81 3 other signatures 29->81 35 cmd.exe 1 29->35         started        signatures15 process16 process17 37 conhost.exe 35->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9fa0a06495f261c09ee9f5cd1f3e32ed8d05e6cc65ed223adb4bf6c02cc90dd/
Threat name:
ByteCode-MSIL.Trojan.LokiSteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 14:58:14 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h5aubsjl4tbycpot5ond47df3mnaxtmyzpnei5nws7wyawmsdoq._file
Verdict:
malicious
Similar samples:
090c34db70dec6ff92806425a51c8d1c562eb12146a145e3a272e103200be32b
Formbook
1aa7a26dc92fbd8b4bb9ddd986a7160525ed218434d15d7bfc13e8b4dc5a7275
Formbook
2bccd7c0c084c310cc99b76682f6747baebaec683536a1ec3a8210b55daa327a
Formbook
375426a8a107b6dffc4876f9aa54782cee5f767dba75fee84084490deb399b46
Formbook
41efc16c24de6ee0b2ef7532958b5413796c18c87729b7c6114e371ab24e5bd0
Formbook
6ef9a4ba3c11768927a6c30605c75cfcb534d7fc013aaf429c51d83bf06750e7
Formbook
85f9c52380c96ddf3aa66361640a6a6232a182d5d4437de8a3585fa0d216ebc4
Formbook
894460163492923a4a19c16f1b31698bbfe8431fea36d3bef84c031f30069c4f
Formbook
bc7d100965bf9a04f7df2820725b9d3c23621f272b3cface8f78d0142d187493
Formbook
dd73e7c8d4f3014acf00b5e917cb126e4a25389d30c77549c67d9a20858baad0
Formbook
+ 2'269 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200814-99c4927zbn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mansiobok3.info/xwqs/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9fa0a06495f261c09ee9f5cd1f3e32ed8d05e6cc65ed223adb4bf6c02cc90dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 07271d551f02128d6849685d605c90be0e5ecfecba72246366cccef83a3df627

Formbook

Executable exe f9fa0a06495f261c09ee9f5cd1f3e32ed8d05e6cc65ed223adb4bf6c02cc90dd

(this sample)

  
Dropped by
MD5 691f68567112073228b7dd8e866bbce1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46019/
  
Dropped by
SHA256 07271d551f02128d6849685d605c90be0e5ecfecba72246366cccef83a3df627

Comments