MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3
SHA3-384 hash: 3c3294144781e04b2ad7d02881dee5909ff531d1cbdc8e6e24210ace4534a74aff08da950d7a028410c53cde196371ee
SHA1 hash: dc1411169ccfac189b4370ce8342779051a65753
MD5 hash: 2a30abd4d6db32bfc49a069c56ceb45c
humanhash: hydrogen-red-ceiling-oranges
File name:orden de compra.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:389'120 bytes
First seen:2020-08-14 15:05:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:GhhxOwlRJXzSnngAWTDlojY2U6ZO/waFiDvvLiqtYXvShhg+3+qrYDjKOoMBwPne:GhunADaYAO47Li4QvShhtuqr2KtMBwPe
Threatray 2'262 similar samples on MalwareBazaar
TLSH AB84E04C31A4A232F6F50FF698206C0843A6671A4926DF0F5EE572F043E6FE4BA5591B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server107.neubox.net
Sending IP: 174.136.28.112
From: Juan Saune <proveedores@promedic.com.mx>
Subject: Re: Re: orden de compra
Attachment: orden de compra.zip (contains "orden de compra.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46027/
Detection(s):
SecuriteInfo.com.FileRepMalware.2885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/430168
Signature
Benign windows process drops PE files
Binary contains a suspicious time stamp
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 267494 Sample: orden de compra.exe Startdate: 16/08/2020 Architecture: WINDOWS Score: 100 49 www.inbonz.com 2->49 55 Malicious sample detected (through community Yara rule) 2->55 57 Sigma detected: Scheduled temp file as task from temp location 2->57 59 Yara detected AntiVM_3 2->59 61 5 other signatures 2->61 11 orden de compra.exe 7 2->11         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\...\tmpEA78.tmp, XML 11->41 dropped 43 C:\Users\user\AppData\...\soPSGUbyne.exe, PE32 11->43 dropped 67 Writes to foreign memory regions 11->67 69 Injects a PE file into a foreign processes 11->69 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 79 Modifies the context of a thread in another process (thread injection) 15->79 81 Maps a DLL or memory area into another process 15->81 83 Sample uses process hollowing technique 15->83 85 2 other signatures 15->85 20 explorer.exe 1 6 15->20 injected 25 conhost.exe 18->25         started        process9 dnsIp10 51 www.fex-tracks.com 162.0.231.94, 49726, 80 NAMECHEAP-NETUS Canada 20->51 53 www.priestvedic.com 20->53 39 C:\Users\user\AppData\Local\...\2d14klhl8.exe, PE32 20->39 dropped 63 System process connects to network (likely due to code injection or exploit) 20->63 65 Benign windows process drops PE files 20->65 27 colorcpl.exe 1 17 20->27         started        31 2d14klhl8.exe 20->31         started        file11 signatures12 process13 file14 45 C:\Users\user\AppData\...\453logrv.ini, data 27->45 dropped 47 C:\Users\user\AppData\...\453logri.ini, data 27->47 dropped 71 Detected FormBook malware 27->71 73 Tries to steal Mail credentials (via file access) 27->73 75 Tries to harvest and steal browser information (history, passwords, etc) 27->75 77 3 other signatures 27->77 33 cmd.exe 1 27->33         started        35 conhost.exe 31->35         started        signatures15 process16 process17 37 conhost.exe 33->37         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 15:07:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6oyhwcefbzznxfpkk24cxa5vtesxrfofytxpusmrueumubxvtrq._file
Verdict:
malicious
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
FormBook
117cca28917405c65fd9e824b381006f453618e5d8c2e080482c1df59a6b8848
FormBook
5042521b58a756c07c9b4d6546b2d6a33c16c49ec60e65d190f17fdb7db006f8
FormBook
6011714f77a9cfdf682b04df3490a0ca227d9a64074946304b8ccd0c83e6264e
FormBook
97e6267855cefb9ff2f241573427435337aef6acc035121a2e0a098a6f6b58f6
FormBook
ac88ad4f977c60a4e265cb5390c408c8979da9d1bb3c9b5c0a3698f359366bbe
FormBook
af2c5c77ba52532806daae8bffadb2c5a4073009e0f485302d2c816ff315a8a7
FormBook
ca2ac9192f0d9fe769d59b389543d410921d56b2231a639fd99ae5ffc9c275ef
FormBook
da7f542b91835ba3090350c2936641058c361e332eda9222f0674dfcbefd4ce9
FormBook
e1cc292b3eb8e646e0c778966a3150d2f278e1394059cf31106301bb003d273f
FormBook
+ 2'252 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200814-sbeft2w49s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.fex-tracks.com/kvsz/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 6f8594f486bb2feba0aac43986145d67e30a9280ae4a6a06ca1175d83099d286

FormBook

Executable exe 2f9d83d844287396dcaf52b5c15c1dacc92bc4ae2e2777d24c8d09465037ace3

(this sample)

  
Dropped by
MD5 bbcff5c893694167a63789ab94c029f0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46027/
  
Dropped by
SHA256 6f8594f486bb2feba0aac43986145d67e30a9280ae4a6a06ca1175d83099d286

Comments