MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea
SHA3-384 hash: de7b0759268bc583c223fbbbace4a4553522504d0596828b9de4d5852545fb22025c5092144c2384464c781145814b64
SHA1 hash: 5f2d5284c710c9f721046998366735696aa7b80c
MD5 hash: d4741b455a75af89ab35d033fe15963c
humanhash: golf-fillet-wolfram-lima
File name:880345.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:1'025'078 bytes
First seen:2020-08-14 12:16:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:JAOcZypwU+zSRjzekBxeIuwYPQ8Io0UBXe:jYUF7TuwYTl0UE
Threatray 246 similar samples on MalwareBazaar
TLSH EE251202BBC689B2D5721932593963146E3C7D202F34DE6FB3C41A6EDE35190A625FB3
Reporter abuse_ch
Tags:FormBook scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: panda.com
Sending IP: 45.127.62.185
From: Febian Syena <merchandiser2@gemtexltd-bd.com>
Subject: shipment Document 0-9900 BL-PACKINGLIST
Attachment: 880345.r00 (contains "880345.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45918/
Detection(s):
Win.Dropper.NetWire-9102409-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Sending a UDP request
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/429723
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected AntiVM autoit script
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 267323 Sample: 880345.scr Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Yara detected FormBook 2->51 53 Yara detected AntiVM autoit script 2->53 55 Modifies the prolog of user mode functions (user mode inline hooks) 2->55 11 880345.exe 33 2->11         started        process3 file4 37 C:\Users\user\26492182\hpgw.pif, PE32 11->37 dropped 67 Drops PE files with a suspicious file extension 11->67 15 hpgw.pif 3 11->15         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 15->39 dropped 41 Contains functionality to inject code into remote processes 15->41 43 Writes to foreign memory regions 15->43 45 Allocates memory in foreign processes 15->45 47 Injects a PE file into a foreign processes 15->47 19 RegSvcs.exe 15->19         started        22 RegSvcs.exe 15->22         started        24 mshta.exe 15->24         started        26 6 other processes 15->26 signatures8 process9 signatures10 57 Modifies the context of a thread in another process (thread injection) 19->57 59 Maps a DLL or memory area into another process 19->59 61 Sample uses process hollowing technique 19->61 63 Queues an APC in another process (thread injection) 19->63 28 explorer.exe 19->28 injected 65 Tries to detect virtualization through RDTSC time measurements 22->65 process11 process12 30 msdt.exe 28->30         started        signatures13 69 Tries to detect virtualization through RDTSC time measurements 30->69 33 cmd.exe 30->33         started        process14 process15 35 conhost.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 12:18:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fx4tqz5pz6ubn4mvlh4k7xecoap7lafjy4uqnux3gs423htpxhva._file
Verdict:
malicious
Similar samples:
0112bdb90e11eb117a1066b44657e7afba86f5a6155da9c12e25c346a34b36ca
Formbook
10189128ff7ff4ae10111c65ca809615595304636a0d0e451ee34bf23ee900a2
Formbook
1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923
Formbook
37e7b7329552ca9f6ab3233ebe1d8ab96c4385b941b31a21ea43c4c2b85fca61
Formbook
3b4671b291ffeef0bc2d488a2273b1bcc2546037229b29e4660254a71f03df82
Formbook
6eb767d15a657e7d39c9534bbd4b24bcc9fb7d72b100b5456ac975a002ef93a9
Formbook
86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26
Formbook
8bc57dbd7aa1c3ac5b3e4f743eb616b93aec9bae6975ccdaa9ad596ada32275b
Formbook
9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8
Formbook
fc1fbab23528029108a690e17c533f4c5de405b84159d95ef976bbae3fbead7e
Formbook
+ 236 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200814-v6pne2fpta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/blo/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r00 3d70a8eff056fc33703bf11e6fade74fa83bad86dc4014768cc8725e50a6e396

Formbook

Executable exe 2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea

(this sample)

  
Dropped by
MD5 c7362ef1e6f4b6d356b5a159de13390a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45918/
  
Dropped by
SHA256 3d70a8eff056fc33703bf11e6fade74fa83bad86dc4014768cc8725e50a6e396

Comments