MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1103b25b39f6c2515abfec5b89afdbefd2d60c03e9f831fa6f7cf890305bf21d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	1103b25b39f6c2515abfec5b89afdbefd2d60c03e9f831fa6f7cf890305bf21d
SHA3-384 hash:	11a60f7b2cdf24d8d8d06b1e972cd6bce42ac36590607dfd93d748b3603619993d6d89bfbc41a220748ff6e60d4b3e29
SHA1 hash:	3e9c2c2bf9738b0b679574d711795c9c626cf426
MD5 hash:	7cbc7308026c5b701ef18595b78afef3
humanhash:	oregon-equal-speaker-zulu
File name:	HS361 dt 26.10.20.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	467'968 bytes
First seen:	2020-10-26 14:09:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:MlzdTZ4rjNxG/i/OfFGr6s8D2Yaps76d/Y8eUmTpEYh13Gp7AL9X:MV/4rjvGiO9C6s8D2pps76aDTq69M76
Threatray	3'026 similar samples on MalwareBazaar
TLSH	04A4BFB27C92587ECA6F0775516981C0FAB617C73FA48B0D71AB430C0E15A2BEB5724B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: jupiter.flywan.net
Sending IP: 179.50.4.12
From: G Joseph <support@qbasica.com>
Subject: FW: Freight Invoice - TRUE LOGISTICS [P] LTD
Attachment: HS361 dt 26.10.20.zip (contains "HS361 dt 26.10.20.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/79125/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader35.7661.13964.10915.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/511827

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/1103b25b39f6c2515abfec5b89afdbefd2d60c03e9f831fa6f7cf890305bf21d/

Threat name:

ByteCode-MSIL.Infostealer.Tepfer

Status:

Malicious

First seen:

2020-10-26 04:02:50 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ceb3ewzz63bfcwv75rnytl6357jnmdad5h4dd6tppt4jamc36ioq._file

Verdict:

malicious

Label(s):

formbook

Formbook

273e14710bfe15975737d9e213b6007a29cc795c993b6b121c745581ec1c4b96

Formbook

2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390

Formbook

87d8ef6a4c6bf661d7957a62b9e8e9ea6627f80227f9ea88502bf601b94a960e

Formbook

99c4f75948b26af511bfa055db8d18567a3d662107e35e91102b5576f02acb84

Formbook

a4d4e093896e53df94a4ffb14632be70329334ac705925a975fa499ac7ee0a89

Formbook

a7bed76e3e3a297b0dd90fc1ab64bd6799c3dba188934f995b1a210781657280

Formbook

b791ce91936d65f90d9ca761c1999ea8330b66d3c3aede92564395d4778b5955

Formbook

b7f9546fa9fb928d856b69a70174d693a84c641ad193e88e48c07cdb92751e03

Formbook

e30d5f240c8600e531832e61f6abddde973ba724b55e8c8bb455a151607b40a3

Formbook

+ 3'016 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/201026-1kv41nc9na/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.jackiekibuka.com/crv/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator