MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06
SHA3-384 hash: 0ce91635feb3dfef7866e7e16be9c5f1aa7dd5f72d8e32cc9b24c40927274a5d67ce948c5c7c8bd0c5be5dc9f9cfb5c8
SHA1 hash: 3d0c7bf68dc2357d2cc4f66ababe1ab0e9bde631
MD5 hash: 3c215a86705a271306d44838eba52893
humanhash: bravo-one-low-mango
File name:PURCHASE ORDER.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:721'920 bytes
First seen:2020-06-22 06:24:27 UTC
Last seen:2020-06-22 06:41:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 53e988b05dd87faa3607b92ae121c8dc (13 x AgentTesla, 5 x DarkComet, 4 x Loki)
ssdeep 12288:+VdoK1+r6XRBuSAAZJu0z53gFnlgJoB2wyW/iFDA:iCxr6RACjHJoB2nW/
Threatray 4'862 similar samples on MalwareBazaar
TLSH 7BE4AE22E2BD4432C163167D5C0B5378A836BE53792899C7ABE5DC4C9F3B242393B197
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: gmail.com
Sending IP: 156.96.44.161
From: ART IMPEX GROUP LLP <sales@gmail.com>
Reply-To: fortunatodaniel.johndeere@gmail.com
Subject: RE: RE: RE: RE: New Purchase Order
Attachment: PURCHASE ORDER.zip (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12401/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 23:23:06 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdfp4jwcubdrl4lvdaxtmrrpjav5xpfr3b2wks42yescykpvbmda._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
693e62c2a77f9a854abde4a76ff075601db591e2007d198225385fc63965b719
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b84f164b86250eaee07153f4665af8826f0e934ba80e505ae37ead324f53b971
FormBook
cfa40c1b8552fd4db408ba6cc0d622c3fed256ca4e684e4277291332c45975fb
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
+ 4'852 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware evasion trojan
Link:
https://tria.ge/reports/200624-j7yvtxs876/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Enumerates system info in registry
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 8ef4b98be3854eea616d09bb9fdbcdfb8b4c5d7c779197d2824ba13035d80ea9

FormBook

Executable exe 38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06

(this sample)

  
Dropped by
MD5 2f186f08a01e9e6efcdade9a79525646
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8ef4b98be3854eea616d09bb9fdbcdfb8b4c5d7c779197d2824ba13035d80ea9
Cape
Cape
https://www.capesandbox.com/analysis/12401/

Comments