MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1
SHA3-384 hash: 2fd33eaa7cd3aaf599dcd2d887759c86454578e10578a3ec98b2c3e099ff70bf973280d933cfc3f5e17c752facba07c7
SHA1 hash: 503fedb2330858a7f7ab52193f91872d98fd1f1a
MD5 hash: 0ca282e7e0f95c0c596f9d6dd3324984
humanhash: quebec-high-item-sweet
File name:D0ck7nuQyqLXPRQ.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:957'440 bytes
First seen:2020-10-23 06:55:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:4Tfx0LRsjQcbs7Z4viOBPNIl7GFb44MRZChSxyfKDjJYKdX1M8KPh:ce4gN4viAk7GFb44MRFxWKXJYKIZ
Threatray 2'641 similar samples on MalwareBazaar
TLSH 4A159C0162B4CB0EE27A17F3E4E405F54BBA2C69E52DE29B7CB27CD93532B405A51B13
Reporter abuse_ch
Tags:exe FormBook Yahoo


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: sonic309-21.consmr.mail.sg3.yahoo.com
Sending IP: 106.10.244.84
From: Angolan Semba <s.angolan@yahoo.com.sg>
Subject: : Fwd: Wire Transfer Payment
Attachment: HBSCB09.rar (contains "D0ck7nuQyqLXPRQ.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74945/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.41594.23457.16988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507811
Signature
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303030 Sample: D0ck7nuQyqLXPRQ.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Sigma detected: Steal Google chrome login data 2->54 56 6 other signatures 2->56 10 D0ck7nuQyqLXPRQ.exe 6 2->10         started        process3 file4 36 C:\Users\user\AppData\Local\...\tmp8735.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\Roaming\ZcsPKZT.exe, PE32 10->38 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Injects a PE file into a foreign processes 10->62 14 D0ck7nuQyqLXPRQ.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 D0ck7nuQyqLXPRQ.exe 10->19         started        signatures5 process6 signatures7 72 Modifies the context of a thread in another process (thread injection) 14->72 74 Maps a DLL or memory area into another process 14->74 76 Sample uses process hollowing technique 14->76 78 Queues an APC in another process (thread injection) 14->78 21 explorer.exe 14->21 injected 25 conhost.exe 17->25         started        process8 dnsIp9 44 camouflagedbeauty.com 66.235.200.147, 49742, 49743, 49744 CLOUDFLARENETUS United States 21->44 46 natroredirect.natrocdn.com 85.159.66.93, 49725, 49726, 49727 CIZGITR Turkey 21->46 48 6 other IPs or domains 21->48 58 System process connects to network (likely due to code injection or exploit) 21->58 27 netsh.exe 18 21->27         started        signatures10 process11 file12 40 C:\Users\user\AppData\...\K1Alogrv.ini, data 27->40 dropped 42 C:\Users\user\AppData\...\K1Alogri.ini, data 27->42 dropped 64 Detected FormBook malware 27->64 66 Tries to steal Mail credentials (via file access) 27->66 68 Tries to harvest and steal browser information (history, passwords, etc) 27->68 70 3 other signatures 27->70 31 cmd.exe 2 27->31         started        signatures13 process14 signatures15 80 Tries to harvest and steal browser information (history, passwords, etc) 31->80 34 conhost.exe 31->34         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 05:16:35 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxyah6beev45wdjbl2fxl2mzuficdnh7pne3pv6zbkipxdfe42qq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2e1f23f4c8536a0f803f8d9f54e5d5c67a99aa2b0c44031d4ed743acd6003887
FormBook
3afb9252d528d667bbdf62a3e7a235615ad0814911ca4690505822cbda24c380
FormBook
46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3
FormBook
51fc4c13e2fa607113d821aaab2ba2e96d10097d69698ec3facc71b8b751e068
FormBook
7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
FormBook
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
FormBook
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
FormBook
b7adf1bb5628fd6ec0905e0d3f32c20c39f401ce845f73e15ce867aca4a531fd
FormBook
d03792e976baeea6547686ff0fe4ced755f9bad76ee6e3ff3c5f4adf93cbb0f8
FormBook
fbe762c8c464730d016cd2ef76955fe726f74abd031cea612d6a08bce2383a3e
FormBook
+ 2'631 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/201023-lll7kkwzjx/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.trusted-inspections.com/k8b/
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/efd1fb11-89a8-45e5-8164-34df1897fce6/
SH256 hash:
25d781e63bd76a520b194870355070e64d8deaddc49a140f2ebe5011084d3a99
MD5 hash:
073ea81619c48571ff4cdc8b5232752e
SHA1 hash:
42051aed31175b27afb211518838cdba4e9fa80d
Link:
https://www.unpac.me/results/efd1fb11-89a8-45e5-8164-34df1897fce6/
SH256 hash:
5a144f9e72d86bf7789929db2bb48481a8ce2d876da64d70c74a456658dc0b97
MD5 hash:
78d30848461d468119773c4c949b10b0
SHA1 hash:
91f23f2766aa75da9c6fb67e1dc437f87c2422a5
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/efd1fb11-89a8-45e5-8164-34df1897fce6/
Parent samples :
da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
1d1a49643433922eecfd7e1a27fd7389c2837f2698d89226b07e387ebb27054c
07528f3c583c546d2b444b091c3ede380c6427ed0691b95294c7e32dd35560ab
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
f397c24f2c684fdcd51dc9954c641d013437a78e24a5cf8c8778196a66a60372
76e0bf03767dfd6316810d96d2404daf16397a0ef3b90daf96ad67bc461209a8
3efb5ed25276775c95cc60b4c8227a1401f5525d629148d393f5b85c25c565ec
1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1
SH256 hash:
1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1
MD5 hash:
0ca282e7e0f95c0c596f9d6dd3324984
SHA1 hash:
503fedb2330858a7f7ab52193f91872d98fd1f1a
Link:
https://www.unpac.me/results/efd1fb11-89a8-45e5-8164-34df1897fce6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 10edde564a5b4dd291e08506139903c719054f6596ca0544e3a24eb6fa57c617

FormBook

Executable exe 1df003f8242579db0d215e8b75e999a15021b4ff7b49b7d7d90a90fb8ca4e6a1

(this sample)

  
Dropped by
MD5 91f335a836da25628e7fdc6568b3020e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74945/
  
Dropped by
SHA256 10edde564a5b4dd291e08506139903c719054f6596ca0544e3a24eb6fa57c617

Comments