MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
SHA3-384 hash: 0bf1b656f6c3f53e9d835b8f683d2b8277682dae9b062fd9317cfdb6a218fc6c3f30e22b722970987ca263df67a0f650
SHA1 hash: fbd95ede3e0c607774f29ac3e275e20274338f71
MD5 hash: 5619bf6aed56992a940e39c1902574ff
humanhash: fanta-item-harry-harry
File name:Procurement Agreement.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:564'736 bytes
First seen:2020-07-29 14:30:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:j8LqUvaGjb4NBbhTn7YINhb6z7qHaZbGtatp409K:YpvLf4VXLpo6adRpZE
Threatray 4'946 similar samples on MalwareBazaar
TLSH BDC4D069B690E916C2FE5134F2DC1618CEFDC592912FE3CD684197AB1BCA7B3D4012B2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.vsysad.com
Sending IP: 139.64.246.182
From: Sales SFG Bilbo <sales@percenna.com>
Subject: DSP Purchase Order No: PO-DSP-20-09736
Attachment: Procurement Agreement.zip (contains "Procurement Agreement.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34982/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/402730
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious names
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253704 Sample: Procurement Agreement.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 100 53 g.msn.com 2->53 55 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->55 63 Malicious sample detected (through community Yara rule) 2->63 65 Yara detected AntiVM_3 2->65 67 Yara detected FormBook 2->67 69 5 other signatures 2->69 11 Procurement Agreement.exe 3 2->11         started        signatures3 process4 signatures5 91 Injects a PE file into a foreign processes 11->91 14 Procurement Agreement.exe 11->14         started        process6 signatures7 93 Modifies the context of a thread in another process (thread injection) 14->93 95 Maps a DLL or memory area into another process 14->95 97 Sample uses process hollowing technique 14->97 99 Queues an APC in another process (thread injection) 14->99 17 explorer.exe 3 6 14->17 injected process8 dnsIp9 47 www.u-mio-paese.com 213.186.33.5, 49763, 49764, 49765 OVHFR France 17->47 49 www.funpexw.com 63.250.45.230, 49750, 80 NAMECHEAP-NETUS United States 17->49 51 www.indianfoodscenes.com 17->51 41 C:\Users\user\AppData\Local\...\updatendf.exe, PE32 17->41 dropped 71 System process connects to network (likely due to code injection or exploit) 17->71 73 Benign windows process drops PE files 17->73 22 ipconfig.exe 1 17 17->22         started        26 updatendf.exe 2 17->26         started        28 updatendf.exe 3 17->28         started        30 4 other processes 17->30 file10 signatures11 process12 file13 43 C:\Users\user\AppData\...\1-3logrv.ini, data 22->43 dropped 45 C:\Users\user\AppData\...\1-3logri.ini, data 22->45 dropped 75 Detected FormBook malware 22->75 77 Tries to steal Mail credentials (via file access) 22->77 79 Creates autostart registry keys with suspicious names 22->79 89 3 other signatures 22->89 32 cmd.exe 1 22->32         started        81 Injects a PE file into a foreign processes 26->81 34 updatendf.exe 26->34         started        37 updatendf.exe 28->37         started        83 Writes to foreign memory regions 30->83 85 Allocates memory in foreign processes 30->85 87 Tries to detect virtualization through RDTSC time measurements 30->87 signatures14 process15 signatures16 39 conhost.exe 32->39         started        57 Modifies the context of a thread in another process (thread injection) 37->57 59 Maps a DLL or memory area into another process 37->59 61 Sample uses process hollowing technique 37->61 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 14:31:06 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b77dulav3ucgtualkfjrntpqtlqonng3x77bayuxz57x2di3qglq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
0340939b40b81755432476dda237847f41da01ef6f21558dc015c345144fee78
FormBook
035c2fa5d912202dd34e8410b14a42b0db007c2be8ed819bbc444f9818497f5b
FormBook
0cd37496a09d3516103a2ba627f8c4bc9ba2eb99b0618d719a3fa9d708b9862d
FormBook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
FormBook
1ca8077766ec7d0dfa82b3bdbaf9ca5d3410ba194398534fa4d4276f5bbba9c8
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b
FormBook
8a1f8815b2d54f7171358001bec7be97d87660a29d8bce9d247da901b012f594
FormBook
f163f4788da0d445dec687df7d215b6af3c4bea10589fa268e6aff20ff335510
FormBook
+ 4'936 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200729-585stj54pj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 8bc47d513146ea22cbc57cf1654e5adbf2b80c17a75bc85d6cd1e7b7c389b2d6

FormBook

Executable exe 0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197

(this sample)

  
Dropped by
MD5 6f1f6727c40f68d315355dc76532adcc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8bc47d513146ea22cbc57cf1654e5adbf2b80c17a75bc85d6cd1e7b7c389b2d6
Cape
Cape
https://www.capesandbox.com/analysis/34982/

Comments