MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e3d9f833b52556ddda6284240ab0abf9b5690eac25196f8aa9f79e87de32d46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e3d9f833b52556ddda6284240ab0abf9b5690eac25196f8aa9f79e87de32d46
SHA3-384 hash: baf98bd3e90844e63e6b5f89fc15d4325786f00f0edc0bf17c0c9d2d12b874466242a860f48f999bfc2ff5398f539081
SHA1 hash: cb1e8ad7fefbfdc9d68804ad227ad5682a7903ad
MD5 hash: 65c9dc74ba023a19c7d7c423b9a3ba6c
humanhash: hot-freddie-florida-fruit
File name:FATURA.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:388'608 bytes
First seen:2020-07-22 09:16:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:/yIHr2t9TS6PUm2GhNAr/lvlfTIMdCChCOh8YTybuB+JLnI+kzCCB5VVFZk+r:/NHr2tQ6PUm2iNS5sOh8Ye6B+JLnI+kh
Threatray 5'667 similar samples on MalwareBazaar
TLSH DA84CE11E7F40BEAEB5947B9E06105509779A61E23E7E70D1B92F1EC0932B418B23F27
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: lx1.morvanet.com
Sending IP: 46.4.222.5
From: info@arvinarman.com
Subject: Re: Re: AW: AW: yeni sipariş sorgulama
Attachment: FATURA.rar (contains "FATURA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31006/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394813
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249811 Sample: FATURA.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 60 www.casmio.com 2->60 62 nbparking-lb1-e8979d80a94bc16b.elb.us-east-1.amazonaws.com 2->62 64 comingsoon.namebright.com 2->64 74 Malicious sample detected (through community Yara rule) 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 6 other signatures 2->80 11 FATURA.exe 5 2->11         started        signatures3 process4 file5 54 C:\Users\user\AppData\...\VmBnaaSaZpQUD.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\...\tmp73FA.tmp, XML 11->56 dropped 58 C:\Users\user\AppData\...\FATURA.exe.log, ASCII 11->58 dropped 14 RegSvcs.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 94 Modifies the context of a thread in another process (thread injection) 14->94 96 Maps a DLL or memory area into another process 14->96 98 Sample uses process hollowing technique 14->98 100 2 other signatures 14->100 19 explorer.exe 1 6 14->19 injected 24 conhost.exe 17->24         started        process8 dnsIp9 66 www.ruiba360.com 156.249.185.110, 49721, 80 IKGUL-26484US Seychelles 19->66 68 www.rusticrootzboutique.com 19->68 70 www.gzexchange.com 19->70 46 C:\Users\user\AppData\Local\...\ms9rrti6v.exe, PE32 19->46 dropped 82 System process connects to network (likely due to code injection or exploit) 19->82 84 Benign windows process drops PE files 19->84 26 wscript.exe 1 19 19->26         started        30 ms9rrti6v.exe 2 19->30         started        file10 signatures11 process12 file13 48 C:\Users\user\AppData\...\900logrv.ini, data 26->48 dropped 50 C:\Users\user\AppData\...\900logri.ini, data 26->50 dropped 52 C:\Users\user\AppData\...\900logrf.ini, data 26->52 dropped 86 Detected FormBook malware 26->86 88 Tries to steal Mail credentials (via file access) 26->88 90 Tries to harvest and steal browser information (history, passwords, etc) 26->90 92 3 other signatures 26->92 32 cmd.exe 2 26->32         started        36 cmd.exe 1 26->36         started        38 conhost.exe 30->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 72 Tries to harvest and steal browser information (history, passwords, etc) 32->72 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e3d9f833b52556ddda6284240ab0abf9b5690eac25196f8aa9f79e87de32d46/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 09:18:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fy6z7az3kjkw3xngfbbebkykx6nvnehkyjizn6fkt546q7pdfvda._file
Verdict:
malicious
Similar samples:
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
FormBook
476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
FormBook
49aaf4ae6bf7f60a07c4ffc43ca0be27fce694446436dd07aac5db362142c2c8
FormBook
75fc0beb16fbe8af2f46d2cfcb7176af4289430516d74017d1a32cd0c37859c0
FormBook
80c2d3e3f00d60ab27069ab1d911bbccadd2ba38df47c098d1efc2a0092ff320
FormBook
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
FormBook
afd354c93f9c9ad2324dd4ecd1e58041f373f1b3360ef8ce2792e437bd104a8d
FormBook
cf1390576f600dd52c89ddbbec49142b26638748b5fb696c3c2ac4583ab68b75
FormBook
dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b
FormBook
f8a0ada1c983c16a3ff6b107c2a04cac970e51ba9bec2514771271af03b7b9fc
FormBook
+ 5'657 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-arvknzazdn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e3d9f833b52556ddda6284240ab0abf9b5690eac25196f8aa9f79e87de32d46

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 61f34c13071f3c9a449684f3ef467e90f465a538850aa866522137a2342a6ad8

FormBook

Executable exe 2e3d9f833b52556ddda6284240ab0abf9b5690eac25196f8aa9f79e87de32d46

(this sample)

  
Dropped by
MD5 8ebbd45973522215af96aadd84bff17d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/31006/
  
Dropped by
SHA256 61f34c13071f3c9a449684f3ef467e90f465a538850aa866522137a2342a6ad8

Comments