MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e
SHA3-384 hash: 635389ee99c6e83fda7c842b7057674fee128159dac0deb3cdad5ab19ef60548ef410f6b3d53016e87aa3db059f92efc
SHA1 hash: 0967accaaed4dbdd2787cd9ec10a3c35f86858be
MD5 hash: 6f3233610197481a6eafcabd20759e55
humanhash: florida-nuts-zulu-nebraska
File name:javF11vuLhF2SXl.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:487'424 bytes
First seen:2020-10-27 14:26:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:egiK03Jq8HcD+jriK6gYhjvjn2IHWJdBF/4Zi9UBLTa:eL3Uuc6jeK6gYhjr2xJ1/4ZGUla
Threatray 3'592 similar samples on MalwareBazaar
TLSH DCA4F164B6D079AFC5DBCD3314AA5C64A3B068BB470FF203D0633AB8D58D7968F541A2
Reporter abuse_ch
Tags:exe FormBook geo Outlook PRT


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: EUR06-VI1-obe.outbound.protection.outlook.com
Sending IP: 40.92.17.79
From: katerinazafirova@hotmail.com
Subject: Cópia de novo pagamento da fatura
Attachment: Cpia de pagamento.rar (contains "javF11vuLhF2SXl.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79956/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513747
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 306007 Sample: javF11vuLhF2SXl.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 37 www.evalassproductions.com 2->37 39 evalassproductions.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 10 other signatures 2->53 11 javF11vuLhF2SXl.exe 6 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\pXJkSwTPV.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\Local\...\tmp7940.tmp, XML 11->35 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 javF11vuLhF2SXl.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 41 datainnbooking.com 192.185.129.41, 49739, 80 UNIFIEDLAYER-AS-1US United States 20->41 43 ghs.googlehosted.com 172.217.168.83, 49735, 80 GOOGLEUS United States 20->43 45 4 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 26 ipconfig.exe 20->26         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 26->57 59 Maps a DLL or memory area into another process 26->59 61 Tries to detect virtualization through RDTSC time measurements 26->61 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 13:50:13 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e43ovmouxozn2iqoly2lr2qwujev6zqh2kprhvrrjqd67rwpov7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
020f6782cf76a5a4f0fc561da8c503892094137b8e5df112005a31885cdc89ef
Formbook
0bfa5712201676e9439c4624fd99b8ec2bba95ccd53fb67f0a289b0a8347fc7c
Formbook
0e63da56ac2a690976edd3e5b6224486f805c88f17d954bb462eed825c3c2fc4
Formbook
680e6e46c8bed6c48e63f6dab3409bb9cd05f6642084ef8b0d03898dacc500a7
Formbook
8e816e44eb6ebdc6b99876142caba3fc1f8a0633edec29e8c1ae3f57e1ca55c9
Formbook
9e9cdc29fefbbbe68a8341df4d3102bac12031106e1f14d1185f57a787a7447b
Formbook
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
Formbook
ba2bf5801650d3b1efe26350bdca102f606dc7622ad4908c414789ef5c0f24b3
Formbook
f755a2e09db3f63b7e9c035a488652b00ccb0678eca144db82e84e9e34345deb
Formbook
fd5aa67ff2ae6837aaf729665b08947c23a7b5cbb1f0c9fba82ebb95ddafcf24
Formbook
+ 3'582 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201027-zlmtppdg26/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.bfboke.com/cpi/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 0fef8bbdd9e6890b8a9897b5c7db0650cb113274cd5ae20dfb0da09f8fd75491

Formbook

Executable exe 2736eab1d4bbb2dd220e5e34b8ea16a2495f6607d29f13d6314c07efc6cf757e

(this sample)

  
Dropped by
MD5 88f0b9513e8bc515aaa3782cb1e14c1c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0fef8bbdd9e6890b8a9897b5c7db0650cb113274cd5ae20dfb0da09f8fd75491
Cape
Cape
https://www.capesandbox.com/analysis/79956/

Comments