MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4560ad14320551fa027d5c5006806bb5ba04dde028d7486c6ed2e467e99e8923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4560ad14320551fa027d5c5006806bb5ba04dde028d7486c6ed2e467e99e8923
SHA3-384 hash: 3d04bfd04001ba42e04282abc10a6bd77ac2f9815b6ebe9573b488aa345eaec249cf842a7eb9faa6f9b26580b5386ff6
SHA1 hash: 1592e9d9c21ff568f2c0dd25f6905db8519e4b9c
MD5 hash: 6e75b633588c3508a2ae7d2cdf4ebbd8
humanhash: ack-comet-hamper-twelve
File name:spreadsheet.xls
Download: download sample
Signature Formbook
Create hunting rule
File size:165'888 bytes
First seen:2020-08-04 23:13:47 UTC
Last seen:2020-08-04 23:30:33 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 3072:Gk3hOdsylKlgryzc4bNhZFGzE+cL2knWKKWXQ3kl/GJMfliRx4J2iSAqsaHHCa0r:Gk3hOdsylKlgryzc4bNhZF+E+W2knW/X
TLSH 14F3E1B3B6669D82DE72073C0BE956015713AD1E23A6C55AB334FB9F7F7048089C291B
Reporter malware_traffic
Tags:FormBook macros xls

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Exploit.Siggen2.13858.24045.2814.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Launching a process
Launching cmd.exe command interpreter
Deleting a recently created file
Launching a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410030
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: MS Office Product Spawning Exe in User Dir
Sigma detected: Suspicious Program Location Process Starts
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257256 Sample: spreadsheet.xls Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 40 www.magentos2.info 2->40 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Document exploit detected (drops PE files) 2->62 66 13 other signatures 2->66 12 EXCEL.EXE 34 40 2->12         started        signatures3 64 Tries to resolve many domain names, but no domain seems valid 40->64 process4 dnsIp5 48 aromaterapiaclinicabrasil.com.br 162.214.51.208, 49715, 80 UNIFIEDLAYER-AS-1US United States 12->48 36 C:\Users\user\AppData\...\87411326[1].jpg, PE32 12->36 dropped 38 C:\Users\Public\svchost32.exe, PE32 12->38 dropped 88 Document exploit detected (creates forbidden files) 12->88 90 Document exploit detected (process start blacklist hit) 12->90 17 svchost32.exe 12->17         started        20 splwow64.exe 12->20         started        file6 signatures7 process8 signatures9 50 Detected unpacking (changes PE section rights) 17->50 52 Machine Learning detection for dropped file 17->52 54 Maps a DLL or memory area into another process 17->54 56 2 other signatures 17->56 22 svchost32.exe 17->22         started        process10 signatures11 68 Modifies the context of a thread in another process (thread injection) 22->68 70 Maps a DLL or memory area into another process 22->70 72 Sample uses process hollowing technique 22->72 74 Queues an APC in another process (thread injection) 22->74 25 explorer.exe 1 22->25 injected process12 dnsIp13 42 www.weprodex.com 25->42 44 www.thetastevegan.com 25->44 46 14 other IPs or domains 25->46 76 System process connects to network (likely due to code injection or exploit) 25->76 29 netsh.exe 1 12 25->29         started        signatures14 78 Tries to resolve many domain names, but no domain seems valid 44->78 process15 signatures16 80 Tries to steal Mail credentials (via file access) 29->80 82 Tries to harvest and steal browser information (history, passwords, etc) 29->82 84 Modifies the context of a thread in another process (thread injection) 29->84 86 2 other signatures 29->86 32 cmd.exe 1 29->32         started        process17 process18 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4560ad14320551fa027d5c5006806bb5ba04dde028d7486c6ed2e467e99e8923/
Threat name:
Script-Macro.Downloader.Donoff
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 23:15:05 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivqk2fbsavi7uat5lrianadlww5ajxpafdluq3do2lsgp2m6rerq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/200804-x23cn8hbs2/
Behaviour
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4560ad14320551fa027d5c5006806bb5ba04dde028d7486c6ed2e467e99e8923

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments