MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117
SHA3-384 hash: 178368232481d92f6d9ca78d6d455cab008f42a718c0732357829a1c7907b79866c83568125ea54bdc3493ee6d7eff1f
SHA1 hash: f76595c7263a9f7a5c6278ffc781d2b4181f4be5
MD5 hash: 998f4f8e5935a3fccd15d33a71cd8e12
humanhash: july-quiet-batman-oregon
File name:Attachment list#20200308783.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'206'784 bytes
First seen:2020-08-04 09:06:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:5h5IYxPE1Hwj/MyFlTWf++zPsrVZlwVMXY7rck:5h5IRxSLBmSVjwV8qck
Threatray 5'101 similar samples on MalwareBazaar
TLSH 1D45C0C5F1409959D8194D3A8D32D9B14B326C6BEF06C60730CCBE9B7BBB5865A24F83
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: salehiya.com
Sending IP: 37.49.229.235
From: VINACONEX Trading <genmail@salehiya.com>
Subject: REQUEST FOR QUOTATION
Attachment: Attachment list20200308783.7z (contains "Attachment list#20200308783.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38383/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.30205.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408928
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256696 Sample: Attachment list#20200308783.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 52 www.urbanmartins.com 2->52 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Yara detected AntiVM_3 2->64 66 7 other signatures 2->66 11 Attachment list#20200308783.exe 3 2->11         started        signatures3 process4 file5 50 C:\...\Attachment list#20200308783.exe.log, ASCII 11->50 dropped 94 Injects a PE file into a foreign processes 11->94 15 Attachment list#20200308783.exe 11->15         started        18 Attachment list#20200308783.exe 11->18         started        signatures6 process7 signatures8 96 Modifies the context of a thread in another process (thread injection) 15->96 98 Maps a DLL or memory area into another process 15->98 100 Sample uses process hollowing technique 15->100 102 Queues an APC in another process (thread injection) 15->102 20 explorer.exe 3 6 15->20 injected process9 dnsIp10 54 apathyinaction.info 34.102.136.180, 49739, 49740, 49741 GOOGLEUS United States 20->54 56 www.urbanmartins.com 20->56 58 3 other IPs or domains 20->58 44 C:\Users\user\AppData\...\services4hlhjb.exe, PE32 20->44 dropped 74 System process connects to network (likely due to code injection or exploit) 20->74 76 Benign windows process drops PE files 20->76 25 wlanext.exe 1 17 20->25         started        29 services4hlhjb.exe 3 20->29         started        31 services4hlhjb.exe 2 20->31         started        33 2 other processes 20->33 file11 signatures12 process13 file14 46 C:\Users\user\AppData\...\0-Rlogrv.ini, data 25->46 dropped 48 C:\Users\user\AppData\...\0-Rlogri.ini, data 25->48 dropped 78 Detected FormBook malware 25->78 80 Tries to steal Mail credentials (via file access) 25->80 82 Tries to harvest and steal browser information (history, passwords, etc) 25->82 92 2 other signatures 25->92 35 cmd.exe 1 25->35         started        84 Injects a PE file into a foreign processes 29->84 37 services4hlhjb.exe 29->37         started        86 Writes to foreign memory regions 31->86 88 Allocates memory in foreign processes 31->88 40 services4hlhjb.exe 31->40         started        90 Tries to detect virtualization through RDTSC time measurements 33->90 signatures15 process16 signatures17 42 conhost.exe 35->42         started        68 Modifies the context of a thread in another process (thread injection) 37->68 70 Maps a DLL or memory area into another process 37->70 72 Sample uses process hollowing technique 37->72 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 09:08:08 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7ng6wvo73csq3yt6rj45hfis3mcyadf762msam5yexlnblaselq._file
Verdict:
malicious
Similar samples:
0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24
FormBook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
FormBook
5bd5a94befaf51c0702273d144aa5d31fc88e7f677ea33ea98408450e1b535d7
FormBook
7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52
FormBook
8f06b49b371c6b257b716689b767ebf4bbc75391d0cf152b9bbe498ef55d017c
FormBook
a76588c6088ba6b56904fa50df8547ff3b93a67b520769d73e92b04bb8d718d6
FormBook
b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b
FormBook
bfb2fd4412e9cd136a794f61436d597d7d58fb4fd842509dabe7a70344e4fd97
FormBook
e3262e18e77da24473b5af2117f10a3121c8ed1a832c6e1b0f5a8f0d7e5fecda
FormBook
ffe68860d3d4320a2152bb2f3a636eb0f484f9f81a14b112c5f349b7c3d79f76
FormBook
+ 5'091 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200804-9d7g1msjwx/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

7z 634bdd53081dfd2bf37cd1391e37a0c5cf1617be172cf68ebf1b05ae08f4094a

FormBook

Executable exe 3fda6f5aaefec5286f13f453ce9ca896d82c0065ffb4c9019dc12eb685609117

(this sample)

  
Dropped by
MD5 6050509ee86df428da11836068f746e7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38383/
  
Dropped by
SHA256 634bdd53081dfd2bf37cd1391e37a0c5cf1617be172cf68ebf1b05ae08f4094a

Comments