MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 257fe8630f5b3736b3da175be649ba233fbcadf9c8f01697b8ce0bc433df450b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 257fe8630f5b3736b3da175be649ba233fbcadf9c8f01697b8ce0bc433df450b
SHA3-384 hash: 80de50908139a11b2a0b0095840a155b439a3f82c3891b2a8b78266c5e1447ea832e8a5c175c236143a317949cce0845
SHA1 hash: 28379cf09c70a11fa804ca8d6c2e66115a1a7676
MD5 hash: 0400e44818387b895db6e52b64df14bd
humanhash: mars-beer-jupiter-bulldog
File name:ReversedDocuments2020_pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:362'280 bytes
First seen:2020-07-29 06:23:49 UTC
Last seen:2020-07-29 06:40:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c6f91e34afac37893c47a6ef2c9bc117 (1 x FormBook)
ssdeep 6144:bbKm3KWYpfymzCW0TV9y944rSRId5/Onkux5Xn9x8sHw:bbKO5YJvzCy44+RSWHv9xFQ
Threatray 5'275 similar samples on MalwareBazaar
TLSH F174F103B5CCC870E05B623AD969EE629D3EFE2681F24167A6D0729DF9703814877357
Reporter jarumlus
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34210/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Creating a window
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401296
Signature
Benign windows process drops PE files
Detected FormBook malware
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252873 Sample: ReversedDocuments2020_pdf.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 38 cdn.onenote.net 2->38 40 g.msn.com 2->40 42 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->42 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 7 other signatures 2->60 10 ReversedDocuments2020_pdf.exe 2->10         started        13 wuapihost.exe 2->13         started        signatures3 process4 signatures5 76 Modifies the context of a thread in another process (thread injection) 10->76 78 Maps a DLL or memory area into another process 10->78 80 Sample uses process hollowing technique 10->80 82 2 other signatures 10->82 15 explorer.exe 4 6 10->15 injected process6 dnsIp7 44 www.smartcoche.com 91.195.241.136, 49741, 80 SEDO-ASDE Germany 15->44 46 www.howndey.com 199.192.16.100, 49744, 49745, 49746 NAMECHEAP-NETUS United States 15->46 48 3 other IPs or domains 15->48 32 C:\Users\user\AppData\...\2dd0mjan4edgrt8.exe, PE32 15->32 dropped 50 System process connects to network (likely due to code injection or exploit) 15->50 52 Benign windows process drops PE files 15->52 20 netsh.exe 1 17 15->20         started        24 2dd0mjan4edgrt8.exe 15->24         started        26 wlanext.exe 15->26         started        file8 signatures9 process10 file11 34 C:\Users\user\AppData\...\K--logrv.ini, data 20->34 dropped 36 C:\Users\user\AppData\...\K--logri.ini, data 20->36 dropped 62 Detected FormBook malware 20->62 64 Tries to steal Mail credentials (via file access) 20->64 66 Tries to harvest and steal browser information (history, passwords, etc) 20->66 28 cmd.exe 1 20->28         started        68 Modifies the context of a thread in another process (thread injection) 24->68 70 Maps a DLL or memory area into another process 24->70 72 Sample uses process hollowing technique 24->72 74 Tries to detect virtualization through RDTSC time measurements 26->74 signatures12 process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/257fe8630f5b3736b3da175be649ba233fbcadf9c8f01697b8ce0bc433df450b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 06:25:12 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ev76qyyplm3tnm62c5n6msn2em73zlpzzdybnf5yzyf4im67iufq._file
Verdict:
malicious
Label(s):
emotet
Create hunting rule
trickbot
Create hunting rule
Similar samples:
179043e8eb7c06144c67f58b2c2900ad10303862c0e5cd7e1fe5a4faf853f103
FormBook
4359188e33f22ea7022cb6e57a3870f2613a1c37dbc483475e02b38cde5bfa8e
FormBook
5853115efe30713520475cbe15d78cd6ed2e79483068463beacd41d0ebdce7c5
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
FormBook
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
FormBook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
FormBook
9e4dcaf1e587af9702c21677d6447f90eff8437573e8400a8668db31d7bc7c3e
FormBook
a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
FormBook
cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
FormBook
+ 5'265 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200729-fg64rg9px6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious use of SendNotifyMessage
System policy modification
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/257fe8630f5b3736b3da175be649ba233fbcadf9c8f01697b8ce0bc433df450b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

ace 043c3fac7b317c0b61ed5cf5090c0e5767581d4caec6c1eb2098245e42b10cb4

FormBook

Executable exe 257fe8630f5b3736b3da175be649ba233fbcadf9c8f01697b8ce0bc433df450b

(this sample)

  
Dropped by
MD5 94969313c783c140469a9babf87adb3b
  
Dropped by
SHA256 043c3fac7b317c0b61ed5cf5090c0e5767581d4caec6c1eb2098245e42b10cb4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34210/

Comments