MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07d25d248e939d11d9b876a411858dc7b6c3e110e8ab0d9a0095792c3a8b2058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07d25d248e939d11d9b876a411858dc7b6c3e110e8ab0d9a0095792c3a8b2058
SHA3-384 hash: f8508585acf18cb1f5035514aa81de141127f22b231cd19a07f64c425db8212a0edc48166e7f18b49e95d96f614a3195
SHA1 hash: d455fcd0b48c6b5490e82f9dd94714ccbd98e59e
MD5 hash: 587603de12486aca450ff862f1f76f1f
humanhash: eleven-july-friend-arkansas
File name:10043811.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:571'904 bytes
First seen:2020-08-06 06:43:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144://LaKZxD5L2HpkndMV60Qc2cHLy5F2r4JeuiGlgfowCWNs1DyBHwkpInE0iwRp2v:/GANeUjcoK42LQLwqyBHjpq2v
Threatray 5'240 similar samples on MalwareBazaar
TLSH 4AC4482461351A9BC7FC80B44F0C76544AE386B51A9FF7C5ECB32885F2926B06B2DC5B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.jerand.xyz
Sending IP: 138.68.15.186
From: Bilal Iqbali<office@jerand.xyz>
Subject: Inquiry from Ghalibmiddleeast
Attachment: 31-14MGT-40.7z (contains "10043811.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40180/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412297
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 258399 Sample: 10043811.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 100 31 www.wiringplusllc.com 2->31 33 www.revistaartesanato.net 2->33 35 5 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected AntiVM_3 2->47 49 3 other signatures 2->49 11 10043811.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\10043811.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 10043811.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 1 15->18 injected process9 dnsIp10 37 www.ciphergain.com 217.160.0.82, 49738, 49739, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->37 39 www.mage-cart.info 63.250.45.175, 49736, 49737, 80 NAMECHEAP-NETUS United States 18->39 41 15 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 WWAHost.exe 1 12 18->22         started        signatures11 process12 signatures13 53 Tries to steal Mail credentials (via file access) 22->53 55 Tries to harvest and steal browser information (history, passwords, etc) 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 2 other signatures 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07d25d248e939d11d9b876a411858dc7b6c3e110e8ab0d9a0095792c3a8b2058/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 03:24:42 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7jf2jeosoordwnyo2sbdbmny63mhyiq5cvq3gqasv4syoulebma._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0e1253abec933b14f592f8ab6fcfaeba8fb3b9d24f9ef2a7021345d2fc738b3f
Formbook
370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10
Formbook
375426a8a107b6dffc4876f9aa54782cee5f767dba75fee84084490deb399b46
Formbook
510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c
Formbook
7b1284dfea512883123452d9bd0ed61ab9af5ee56382664aada1914a42944e60
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
9963cb9f95312d222c99fac596b5bf02d81ace63ebde79c37e2312d3e2ecd32f
Formbook
b2d8df96514495cb6b3fe66a6d61e70b8b6e92426910db93f7ae521be4fd2762
Formbook
bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
Formbook
d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
Formbook
+ 5'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware evasion trojan persistence stealer family:formbook
Link:
https://tria.ge/reports/200806-r14bjq9bmj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07d25d248e939d11d9b876a411858dc7b6c3e110e8ab0d9a0095792c3a8b2058

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7ed048e306531304c869c64b1e57b4b8034faefcda8e19c0120eabe403d4c3cb

Formbook

Executable exe 07d25d248e939d11d9b876a411858dc7b6c3e110e8ab0d9a0095792c3a8b2058

(this sample)

  
Dropped by
MD5 5a486b2c674b33a6aac8f4fc3044faa9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40180/
  
Dropped by
SHA256 7ed048e306531304c869c64b1e57b4b8034faefcda8e19c0120eabe403d4c3cb

Comments