MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e510326528933cca881fd142e4840c5256a25384310c77ab7dc9f38e390430c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	1e510326528933cca881fd142e4840c5256a25384310c77ab7dc9f38e390430c
SHA3-384 hash:	a60c659e391bdc5957ea3ea07d01104ab9aaa144c1939cf2810e0132c2a987f5d2f1cc7a41d89a5e0a6328a7c906c774
SHA1 hash:	9603c027a258663411c0c0176a7436599172727d
MD5 hash:	0c64040a76d1a087ed9d2359ca08e199
humanhash:	foxtrot-cat-romeo-virginia
File name:	1104.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	399'872 bytes
First seen:	2020-11-05 09:16:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:J9VylRX31UfeikdmLu/gV0JHwNdZQxBnNXh7T9DPGbb:wcfeiVS/g66mNXh7T9
Threatray	4'458 similar samples on MalwareBazaar
TLSH	3E848E7A7996582ECAAE0776016540C2FAB617C73F61CB0D719E830C0E25B6FB753287
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: spfilter-2.sew01.mschosting.com
Sending IP: 110.4.42.27
From: Jun Thian <jun.thian@tanenghong.com>
Reply-To: jun.thian@tanenghong.com
Subject: BANK IN COPY
Attachment: 1104.zip (contains "1104.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/83137/

Detection(s):

PUA.Win.Packer.Medvedev-6482674-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/521135

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e510326528933cca881fd142e4840c5256a25384310c77ab7dc9f38e390430c/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-11-04 22:33:04 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dziqgjssrez4zkeb7ukc4scayuswujjyimimo6vx3sptry4qimga._file

Verdict:

malicious

Label(s):

formbook

Formbook

273e14710bfe15975737d9e213b6007a29cc795c993b6b121c745581ec1c4b96

Formbook

3864dd603fd4616753b80ec6146bccaac77ee9ec7590d088d121dc15db1dc98a

Formbook

6b2888cc6f4f233acad6a7548e72cfcce28ab97931c987cf8c1243a39b44aa34

Formbook

73c740cf8efc312c3fed42aceee4f4513b8ce620aaf31793676f8de2810fdadb

Formbook

83a00cced5b83593db2ff0ce7f23937ba5b836b28969c1a0d481a6e9fbea5f53

Formbook

a4d4e093896e53df94a4ffb14632be70329334ac705925a975fa499ac7ee0a89

Formbook

a6fd278a82dad870444a8d93e3c05accdfaef779460c2f3777d9ef2441620a41

Formbook

e812ca08bf2f1a1ea83facfaab349a8fa9d9fd88607d2b61a81423bb3f992175

Formbook

f24849d70670b5448e96f02fe8bc12328bee2922be60f70ec8121531778f0d05

Formbook

+ 4'448 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201105-glcmmllch2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.crazyenergyguy.com/dmr/

Unpacked files

SH256 hash:

1e510326528933cca881fd142e4840c5256a25384310c77ab7dc9f38e390430c

MD5 hash:

0c64040a76d1a087ed9d2359ca08e199

SHA1 hash:

9603c027a258663411c0c0176a7436599172727d

Link:

https://www.unpac.me/results/3d78bf3a-7e12-4a56-abd9-49b91ea30d04/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/3d78bf3a-7e12-4a56-abd9-49b91ea30d04/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/3d78bf3a-7e12-4a56-abd9-49b91ea30d04/

SH256 hash:

45cebff66bfc33e7c397fdc3a540791717ad2021d21549f4daa6eadd40ad4015

MD5 hash:

044de68d712fa2c2283a057eb20e9622

SHA1 hash:

853c7b7553539e0cce3c337b221d0726a7879b5d

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/3d78bf3a-7e12-4a56-abd9-49b91ea30d04/

Parent samples :

a6fd278a82dad870444a8d93e3c05accdfaef779460c2f3777d9ef2441620a41
4323dbb489f82a5a4906fbc6e0dc37a6589dc7b073f2fa0a569b7d3409314e15
0982a348bad7e99222ac6ec6c6dc2c113eb8adff8785bd1f371c5bc90b0025b3
73c740cf8efc312c3fed42aceee4f4513b8ce620aaf31793676f8de2810fdadb
b791ce91936d65f90d9ca761c1999ea8330b66d3c3aede92564395d4778b5955
273e14710bfe15975737d9e213b6007a29cc795c993b6b121c745581ec1c4b96
540254a20d7d4aec2508a9db7e1fdb484ebc5bcec6ff72c919b17b5f0dbabdd7
a4d4e093896e53df94a4ffb14632be70329334ac705925a975fa499ac7ee0a89
e812ca08bf2f1a1ea83facfaab349a8fa9d9fd88607d2b61a81423bb3f992175
1c8686106ff3eebb3b99082e117bf8b3bcf5a54b733c2a5eb8ede2b89ee7c4fb
3864dd603fd4616753b80ec6146bccaac77ee9ec7590d088d121dc15db1dc98a
83a00cced5b83593db2ff0ce7f23937ba5b836b28969c1a0d481a6e9fbea5f53
f24849d70670b5448e96f02fe8bc12328bee2922be60f70ec8121531778f0d05
1e510326528933cca881fd142e4840c5256a25384310c77ab7dc9f38e390430c

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c29f5aa1f28f48caeef6ab951367436e

Formbook

exe 1e510326528933cca881fd142e4840c5256a25384310c77ab7dc9f38e390430c

(this sample)

Dropped by

MD5 c29f5aa1f28f48caeef6ab951367436e

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/83137/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample