MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16c13e9c3a49e89d047f1b589596d24bc332af9d28ea6235aedd930e00b51281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16c13e9c3a49e89d047f1b589596d24bc332af9d28ea6235aedd930e00b51281
SHA3-384 hash: e6ef68eb74cc965acdc8f28fcc0404bdf4d2321c72eb0f198185eda845a851230a83c05c6e58a2fd132e66498d2fac01
SHA1 hash: d1d911710a427b0c13ea4ca9ebeceec950267597
MD5 hash: f5f99bf4a581180e9b7c0b2a0c31af27
humanhash: kitten-ohio-green-six
File name:SHIPPING_DOC_MV MAERSK HANGZHOU_V.698E_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:768'000 bytes
First seen:2020-07-21 07:45:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d8412990f74f880a4a63b66fdb523827 (11 x AgentTesla, 8 x Loki, 5 x FormBook)
ssdeep 12288:7ZnGUxq0RwFvcGHq8TxFsb4mOKKEzem/nfw0ff8YGNkL:FGuqtFvm8TxmZlzfffw037GNS
Threatray 5'328 similar samples on MalwareBazaar
TLSH 13F4AF26F2D00837C16B273F9C1B57A5A829BF5D292899472BF41CCC9F39741387A1A7
Reporter abuse_ch
Tags:exe FormBook Maersk


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.emsbd.com
Sending IP: 202.40.181.229
From: A.P. Moller - Maersk <kevin.chung@maersk.com>
Reply-To: kevin.chung@maersk.com
Subject: RE : RE : URGENT!!! 2 x 40ft - SHIPPING DOC BL,SI,INV#462345 // MV MAERSK HANGZHOU V.698E // CLGQOP181781 //
Attachment: SHIPPING_DOC_MV MAERSK HANGZHOU_V.698E_pdf.arj (contains "SHIPPING_DOC_MV MAERSK HANGZHOU_V.698E_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29845/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392814
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248697 Sample: SHIPPING_DOC_MV MAERSK HANG... Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 60 www.adsars.com 2->60 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 10 other signatures 2->76 11 SHIPPING_DOC_MV MAERSK HANGZHOU_V.698E_pdf.exe 2->11         started        signatures3 process4 signatures5 92 Maps a DLL or memory area into another process 11->92 14 SHIPPING_DOC_MV MAERSK HANGZHOU_V.698E_pdf.exe 11->14         started        process6 signatures7 94 Modifies the context of a thread in another process (thread injection) 14->94 96 Maps a DLL or memory area into another process 14->96 98 Sample uses process hollowing technique 14->98 100 Queues an APC in another process (thread injection) 14->100 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 54 www.popcornuniverse.net 199.34.228.159, 49722, 80 WEEBLYUS United States 17->54 56 www.matsubara-ladies-clinic.com 17->56 58 4 other IPs or domains 17->58 46 C:\Users\user\AppData\Local\...\ul1ktu.exe, PE32 17->46 dropped 78 System process connects to network (likely due to code injection or exploit) 17->78 80 Benign windows process drops PE files 17->80 22 svchost.exe 1 19 17->22         started        26 ul1ktu.exe 17->26         started        28 svchost.exe 17->28         started        30 autochk.exe 17->30         started        file10 signatures11 process12 file13 48 C:\Users\user\AppData\...\8Q9logrv.ini, data 22->48 dropped 50 C:\Users\user\AppData\...\8Q9logri.ini, data 22->50 dropped 52 C:\Users\user\AppData\...\8Q9logrf.ini, data 22->52 dropped 82 Detected FormBook malware 22->82 84 Tries to steal Mail credentials (via file access) 22->84 86 Tries to harvest and steal browser information (history, passwords, etc) 22->86 90 2 other signatures 22->90 32 cmd.exe 2 22->32         started        36 cmd.exe 1 22->36         started        88 Maps a DLL or memory area into another process 26->88 38 ul1ktu.exe 26->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 62 Tries to harvest and steal browser information (history, passwords, etc) 32->62 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        64 Modifies the context of a thread in another process (thread injection) 38->64 66 Maps a DLL or memory area into another process 38->66 68 Sample uses process hollowing technique 38->68 signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16c13e9c3a49e89d047f1b589596d24bc332af9d28ea6235aedd930e00b51281/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:47:07 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3at5hb2jhuj2bd7dnmjlfwsjpbtfl45fdvgenno3wjq4afvckaq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
FormBook
0a3c65874fe1eb6d20f08ff802ffa3cf7ec93cfe500f4440929cd5378a39e2c8
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
5a0715de8860e50b6f80a1a1cd245d6133d6b3a15bfce756b46458efd8abd8ab
FormBook
5ea5c833b683610be48142f34c9f8c98ab8f987b9aee34f1e7ed6d1c8567075f
FormBook
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
FormBook
8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4
FormBook
eb638769c780ac51f18d725025755c04acb90936ef9601137bf9fcaab8b47626
FormBook
f374ef5b2acdbfd1d6b05763372c2b90e4075d1ea25ec9aaac6368bd06826d26
FormBook
f8257ea6068267793a12ae2a1dfd91384664bee14820c51fd8984031ad3047de
FormBook
+ 5'318 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200721-ax4ycfb91e/
Behaviour
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16c13e9c3a49e89d047f1b589596d24bc332af9d28ea6235aedd930e00b51281

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj ed54a7a6b41f76fbd259be636ad268c4637f4a95e2738b8cf8e7dcba4c38b2a9

FormBook

Executable exe 16c13e9c3a49e89d047f1b589596d24bc332af9d28ea6235aedd930e00b51281

(this sample)

  
Dropped by
MD5 c3ff380b54d246b4e49dd521613c422e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29845/
  
Dropped by
SHA256 ed54a7a6b41f76fbd259be636ad268c4637f4a95e2738b8cf8e7dcba4c38b2a9

Comments