MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 361b870ce5f03b00cd0bd8b38c126a247cedddac310047ecd9fcbab921022de9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 361b870ce5f03b00cd0bd8b38c126a247cedddac310047ecd9fcbab921022de9
SHA3-384 hash: 0ec80797eb09cfb0b57ffe680aeffc666dc32187846685fa1af5db8baee6065c6b05715007436c7554298b6d3c92b663
SHA1 hash: 72233c95267ccaa4b4458c857b8d428cf39b2575
MD5 hash: a409ed59cf9c1e82d1eb0c57cae8f62a
humanhash: mexico-louisiana-lion-september
File name:BLS20080024.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:942'080 bytes
First seen:2020-07-20 07:43:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Yu/ce1q9I6/kldSCGDyaod+ik4g8y3SoDIa3kpzunJjDgSb784qolgrdm4Vz0Rpl:Yu0eOPW2rEloDICkpzul/h
Threatray 5'214 similar samples on MalwareBazaar
TLSH 6215CEC6AA506110DAAC2FB45E32CA350321BD1DF9F1D61E2BD4BC9B3F7A793D015622
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dlveltex.co
Sending IP: 111.90.145.49
From: Duangkamol <allwin@hibox.hinet.net>
Reply-To: allwin@hibox.hinet.net
Subject: REQUEST FOR QUOTATION.
Attachment: BLS20080024.rar (contains "BLS20080024.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28593/
Detection(s):
SecuriteInfo.com.LuheFihaA.10951.1225.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390994
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247752 Sample: BLS20080024.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 59 www.flycoz.com 2->59 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Multi AV Scanner detection for dropped file 2->79 81 7 other signatures 2->81 11 BLS20080024.exe 1 2->11         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\BLS20080024.exe.log, ASCII 11->57 dropped 99 Tries to detect virtualization through RDTSC time measurements 11->99 101 Injects a PE file into a foreign processes 11->101 15 BLS20080024.exe 11->15         started        signatures6 process7 signatures8 103 Modifies the context of a thread in another process (thread injection) 15->103 105 Maps a DLL or memory area into another process 15->105 107 Sample uses process hollowing technique 15->107 109 Queues an APC in another process (thread injection) 15->109 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 61 ifarm4u.com 34.102.136.180, 49734, 80 GOOGLEUS United States 18->61 63 www.yangzhie288.com 18->63 65 2 other IPs or domains 18->65 49 C:\Users\user\AppData\...\services0hvp5.exe, PE32 18->49 dropped 83 System process connects to network (likely due to code injection or exploit) 18->83 85 Benign windows process drops PE files 18->85 23 netsh.exe 1 19 18->23         started        27 services0hvp5.exe 1 18->27         started        29 services0hvp5.exe 18->29         started        31 2 other processes 18->31 file11 signatures12 process13 file14 51 C:\Users\user\AppData\...\-46logrv.ini, data 23->51 dropped 53 C:\Users\user\AppData\...\-46logri.ini, data 23->53 dropped 55 C:\Users\user\AppData\...\-46logrf.ini, data 23->55 dropped 87 Detected FormBook malware 23->87 89 Tries to steal Mail credentials (via file access) 23->89 91 Tries to harvest and steal browser information (history, passwords, etc) 23->91 97 2 other signatures 23->97 33 cmd.exe 2 23->33         started        37 cmd.exe 1 23->37         started        93 Injects a PE file into a foreign processes 27->93 39 services0hvp5.exe 27->39         started        41 services0hvp5.exe 29->41         started        95 Tries to detect virtualization through RDTSC time measurements 31->95 signatures15 process16 file17 47 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->47 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 33->67 43 conhost.exe 33->43         started        45 conhost.exe 37->45         started        69 Modifies the context of a thread in another process (thread injection) 39->69 71 Maps a DLL or memory area into another process 39->71 73 Sample uses process hollowing technique 39->73 signatures18 process19
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/361b870ce5f03b00cd0bd8b38c126a247cedddac310047ecd9fcbab921022de9/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:45:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gynyodhf6a5qbtil3czyyetker6o3xnmgeaep3gz7s5lsiicfxuq._file
Verdict:
malicious
Similar samples:
154d6b81bf4dcce3911f5c72f4790569e1cd91aee0040e7c1341f5286952bafe
FormBook
3026e3d087b09043925e42928fa0764af54475791f45f8ce97ce3f72b0a66e50
FormBook
597022d4e4794fb02c89a43939d93d1b2b1140e798e355c2a53a8423f19514ad
FormBook
6b17c7fa9318e19b00115ee75af6c8ee3b811e7983ed96ae819461482834137e
FormBook
8444fb3b56e5ce9643786f9663e364d9a3bb926efe3395485053450950fe8df8
FormBook
879e1880a4d2d7f0245a1267cf5bd4447eab697eea8680aa96ecf73f8a2c78f5
FormBook
8e3558d36802ba3f0da7c2b1188d5f12918959c2674e5421c2d15fad57d712e9
FormBook
a841d5eddb5208f4740c9d305151742f0a4c39b113e91d41414af98ff19c6c3d
FormBook
cbd6e5626ae84385a9fc7a7eab1877be367ef0b69dc1c4a8de1f668ecb018ab2
FormBook
da598cdcc8c0be3634bafe7bfb3ca0137e1ae0f785fcbe679f63a79fde4c3131
FormBook
+ 5'204 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200720-f4at2zx7ee/
Behaviour
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/361b870ce5f03b00cd0bd8b38c126a247cedddac310047ecd9fcbab921022de9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 82fc4d8acaab0b45e49286d0e5ccdd98c4dcb4d79c56ed3b94691a6270e3dfeb

FormBook

Executable exe 361b870ce5f03b00cd0bd8b38c126a247cedddac310047ecd9fcbab921022de9

(this sample)

  
Dropped by
MD5 94f88c08094c0b9e2606e796de4cfb49
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 82fc4d8acaab0b45e49286d0e5ccdd98c4dcb4d79c56ed3b94691a6270e3dfeb
Cape
Cape
https://www.capesandbox.com/analysis/28593/

Comments