MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a
SHA3-384 hash: afde83295f5abb256461f087888124084775e44751feb32d5842c188e58314f7bb49bc2759581273b01bda3688d7baeb
SHA1 hash: 027ce3b08fe9c0c47114d6711fb26551eba96a72
MD5 hash: b659d359a6fafaf7954c78199552852e
humanhash: two-harry-leopard-blue
File name:RV OFFER REF 571 - REF. INQUIRY NP17836.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:740'864 bytes
First seen:2020-07-20 09:29:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Duc81q9I6/kldSCF3/86K+/YpJ6zFJpXZDyaod+ik4g8y3SoD:Duc8OM/8l+/2JW/JW2rEloD
Threatray 5'034 similar samples on MalwareBazaar
TLSH 51F4E0C89AA05404C6ED2FF59E62DAB54334BD09F5F2D30F1BC4A89B393A7A3D454392
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 700rdns3.websouls.net
Sending IP: 116.202.49.147
From: SYED TALHA <sales@npiuae.com>
Reply-To: info@npiuae.com
Subject: RV: OFFER REF: 571 - REF.: INQUIRY NP17836
Attachment: RV OFFER REF 571 - REF. INQUIRY NP17836.zip (contains "RV OFFER REF 571 - REF. INQUIRY NP17836.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28877/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.12326.13411.UNOFFICIAL
Create hunting rule

Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/391230
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247989 Sample: RV OFFER REF 571 - REF. INQ... Startdate: 20/07/2020 Architecture: WINDOWS Score: 96 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected FormBook 2->39 41 3 other signatures 2->41 10 RV OFFER REF 571 - REF. INQUIRY NP17836.exe 1 2->10         started        process3 file4 27 RV OFFER REF 571 -...IRY NP17836.exe.log, ASCII 10->27 dropped 49 Injects a PE file into a foreign processes 10->49 14 RV OFFER REF 571 - REF. INQUIRY NP17836.exe 10->14         started        signatures5 process6 signatures7 51 Modifies the context of a thread in another process (thread injection) 14->51 53 Maps a DLL or memory area into another process 14->53 55 Sample uses process hollowing technique 14->55 57 Queues an APC in another process (thread injection) 14->57 17 explorer.exe 14->17 injected process8 dnsIp9 29 www.theophileblog.com 17->29 31 www.prodigynebula.win 17->31 33 2 other IPs or domains 17->33 20 rundll32.exe 17->20         started        process10 signatures11 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:59:42 UTC
AV detection:
38 of 48 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d57wziwxybbr4b7joqkyu3rdckp5ygmzj5uhxzy5vjukvavukefa._file
Verdict:
malicious
Similar samples:
0cd37496a09d3516103a2ba627f8c4bc9ba2eb99b0618d719a3fa9d708b9862d
FormBook
3224b351afdfb9166bf37fde75a48e9d3212916a6584634600f90971ba3883ed
FormBook
3de57656bc920af6ada5c995391e33546524ec7acd4e9182364dfcaf84b3b8a3
FormBook
4a21cad0d588267ebde8f8112e9d85bf355c77434beda6436cd9403a0a787c0d
FormBook
52e01cac4f5319a7d1177aae77861b4ad8f77b26581d089e948344d0e608b80b
FormBook
8697eb117ba4ca2b18a9a7bbdcbd201cc062e2e79ccbc9d8ea785baf5b868657
FormBook
bd3afdd3cda53eebbebcc99b946ff7eb2f972fcf1c5a3a11ffcf633a46f1b853
FormBook
c29ba90d51de3251d2d6f890bf889bd2772c2e375c7df46b25968ae2b1cce5f8
FormBook
cc84debcfc3e30a4b682bb53e028acb0a75d56607ab25b2418797f65a7e6efb7
FormBook
fc95c84eb428f263fef3220d512a2f602570f2acb41a46114244c30af48fd51b
FormBook
+ 5'024 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-nd29bc1s4x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 630b47cd56e437134b084f0861510bffe467872d9a3ab16d64676cf076d1c0f5

FormBook

Executable exe 1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a

(this sample)

  
Dropped by
MD5 93e0fc8fff18e6a2e9977a3cca1fa9ee
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28877/
  
Dropped by
SHA256 630b47cd56e437134b084f0861510bffe467872d9a3ab16d64676cf076d1c0f5

Comments