MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
SHA3-384 hash: 917cdca776f9b3e4e9b2621e96aefce5f7f165756b987847e3b01085b418376a15fa516cb6d8295f05cc3bdd05c3868b
SHA1 hash: 239bd766672d4e7ff10d0c1f158ac37c6e61f5d7
MD5 hash: e2aa8d03cacc704881b2ffe07eda4ffb
humanhash: echo-spring-charlie-pizza
File name:AHM 3182026.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'036'288 bytes
First seen:2020-11-11 14:01:42 UTC
Last seen:2020-11-12 06:17:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vgkVwGXmxXkgQIExWIp4IRefKBb8JTtzXjlVnS9Wjy7ABeZEPh:M1UWXuezJTtnlVvyEMZmh
Threatray 2'919 similar samples on MalwareBazaar
TLSH 16256A60778C5F8BE52942BA40909818B3FADE03AF27D5187C5D396EC2B1F11F91EE52
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.4868.19548.26479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching cmd.exe command interpreter
Result
Gathering data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/531658
Signature
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 314932 Sample: AHM 3182026.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 41 www.sieuthionline270.com 2->41 43 www.bcoltee.com 2->43 45 bcoltee.com 2->45 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Steal Google chrome login data 2->61 63 5 other signatures 2->63 11 AHM 3182026.exe 3 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\AHM 3182026.exe.log, ASCII 11->37 dropped 75 Injects a PE file into a foreign processes 11->75 15 AHM 3182026.exe 11->15         started        signatures6 process7 signatures8 79 Modifies the context of a thread in another process (thread injection) 15->79 81 Maps a DLL or memory area into another process 15->81 83 Sample uses process hollowing technique 15->83 85 Queues an APC in another process (thread injection) 15->85 18 explorer.exe 15->18 injected process9 dnsIp10 47 www.bunda7.com 154.93.103.172, 49753, 49754, 49755 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 18->47 49 www.tuiliyi.com.w.kunluncan.com 117.25.156.166, 80 CHINATELECOM-FUJIAN-XIAMEN-IDC1XiamenCN China 18->49 51 www.tuiliyi.com 18->51 65 System process connects to network (likely due to code injection or exploit) 18->65 22 wlanext.exe 18 18->22         started        signatures11 process12 dnsIp13 53 www.tuiliyi.com.w.kunluncan.com 22->53 55 www.tuiliyi.com 22->55 33 C:\Users\user\AppData\...\-L-logrv.ini, data 22->33 dropped 35 C:\Users\user\AppData\...\-L-logri.ini, data 22->35 dropped 67 Detected FormBook malware 22->67 69 Tries to steal Mail credentials (via file access) 22->69 71 Tries to harvest and steal browser information (history, passwords, etc) 22->71 73 3 other signatures 22->73 27 cmd.exe 2 22->27         started        file14 signatures15 process16 file17 39 C:\Users\user\AppData\Local\Temp\DB1, SQLite 27->39 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 31 conhost.exe 27->31         started        signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 09:31:41 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgukiilob6k7trfnpwbrqwm2t2ixsgdh4o3vpmlov2ns6hryufbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
2829f8bf819c13d753f3c6b33726df8c46a533f3040b550a86ca0ab34f967e92
FormBook
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
FormBook
45cf51569314dac91762e5c1f112c4a640595239d553729f10613f9f59403e84
FormBook
74ee80ac61ce369a23feac3296a825873aa257282d5dd0f9c35c385e3d6766cf
FormBook
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
FormBook
911fec402f3bb42d731c4e177c322c0df8d79f680e5a18f538a3ff2e3086c2bf
FormBook
a50fdfd2a59cafe23cd41227b465d44b6d00e2b14f707798d60d2637ff78ef25
FormBook
a9a6a44f3eca95cc7785debebea767461798f27978628c58a06474005b8855c8
FormBook
e5a94739fb1f6d7a06f6b9eb529037c9ab0d59be424d4b99c63651360d7ded3f
FormBook
ef0d4bf082291155c82f86ebda948f3fafed56b2d167463f6b59a1a964e7ccfb
FormBook
+ 2'909 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201111-482l8c93yn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.libertraxengineering.com/rte/
Unpacked files
SH256 hash:
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
MD5 hash:
e2aa8d03cacc704881b2ffe07eda4ffb
SHA1 hash:
239bd766672d4e7ff10d0c1f158ac37c6e61f5d7
Link:
https://www.unpac.me/results/56e6a6ff-378f-422d-a93b-216be3078741/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/56e6a6ff-378f-422d-a93b-216be3078741/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/56e6a6ff-378f-422d-a93b-216be3078741/
SH256 hash:
d8b8f41701c0a31cb4439ef4c3d2a99c90e19b02173491e08e8b02e5b91ed609
MD5 hash:
0f5d91d6e3a029eac1adfedb8738f9ec
SHA1 hash:
596816295c52f3991e354773f0f2db81c15faf49
Link:
https://www.unpac.me/results/56e6a6ff-378f-422d-a93b-216be3078741/
SH256 hash:
d0784f3d068eb5e3a0ba4249c56b5384dbc999f9b87c57c3b00200e06f2ddfce
MD5 hash:
89210b1fe5ca4b41db8c9561bd42e3b3
SHA1 hash:
67ed61dc804ac97b7925ffd7f63ef28fec45928d
Link:
https://www.unpac.me/results/56e6a6ff-378f-422d-a93b-216be3078741/
SH256 hash:
d9441785516cf74e6f3c86fa0cecf56b0b69cc361516da974be9cb01f1921df2
MD5 hash:
0345ee3daa51cfc4444366c0e1e1ace7
SHA1 hash:
71f1d93c996ba65f162e963ef7da68ea3221459a
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/56e6a6ff-378f-422d-a93b-216be3078741/
Parent samples :
ef0d4bf082291155c82f86ebda948f3fafed56b2d167463f6b59a1a964e7ccfb
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
bf149d9178e1dfee8846b6c29664fd04e8b079121706b208dc9389f3ce1d36ac
fd65de40662072e139fcfab07423a32a918e5cd51c42544681835e7fb5f835a6
ef84b1824587f465b36bafcbfbe6a14953e6de0a9420904662ba207984782c80
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

1e6e998fd9a62b39ea28940b685e769f10513139feb4ff99584e762ceca8c6d4

FormBook

Executable exe 19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143

(this sample)

  
Dropped by
MD5 8bf0c591f0ec83117bf1816db7b5dcb9
  
Dropped by
SHA256 1e6e998fd9a62b39ea28940b685e769f10513139feb4ff99584e762ceca8c6d4
  
Dropped by
FormBook
  
Delivery method
Distributed via e-mail attachment

Comments