MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10
SHA3-384 hash: 8edb9e2a3684805275f4dc103ec0a2bc2f4bc3466a26aad23fad62528deac5cb6c6ab490b3e340679ca934e2417cb2c2
SHA1 hash: b49f31bbc058a98f69c30f04f2739b3fa105bc0e
MD5 hash: 6895436208234fb199f947daac9a0df8
humanhash: hotel-quebec-mirror-nineteen
File name:Purchase Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:288'256 bytes
First seen:2020-07-22 06:39:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:rFRaWWy9sWp8CKAdVVKTFZh5oDvzAy7WGrKdJn7Wn6c4p1VV:rFnW2hWCn3CFZvU7AyqGrKdJa6c4p
Threatray 3'838 similar samples on MalwareBazaar
TLSH 6854CF6A93A8C47DF6AD8F3CE1306717433942062CD1EE4E7D705CC9A65E7867032BA9
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail.DSPROMEDIA.COM
Sending IP: 91.151.85.120
From: Fulcrum Maritime Systems Ltd <accounts@fulcrum-maritime.com>
Subject: Purchase Order
Attachment: Purchase Order.zip (contains "Purchase Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30769/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394396
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249592 Sample: Purchase Order.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 85 www.pottedtreebooks.com 2->85 117 Malicious sample detected (through community Yara rule) 2->117 119 Multi AV Scanner detection for submitted file 2->119 121 Sigma detected: Steal Google chrome login data 2->121 123 5 other signatures 2->123 13 Purchase Order.exe 1 2->13         started        signatures3 process4 signatures5 153 Maps a DLL or memory area into another process 13->153 16 Purchase Order.exe 1 13->16         started        19 RegAsm.exe 13->19         started        21 RegAsm.exe 13->21         started        process6 signatures7 93 Maps a DLL or memory area into another process 16->93 23 Purchase Order.exe 1 16->23         started        26 RegAsm.exe 16->26         started        95 Modifies the context of a thread in another process (thread injection) 19->95 97 Sample uses process hollowing technique 19->97 99 Queues an APC in another process (thread injection) 19->99 28 explorer.exe 1 6 19->28 injected 101 Tries to detect virtualization through RDTSC time measurements 21->101 process8 dnsIp9 131 Maps a DLL or memory area into another process 23->131 32 Purchase Order.exe 1 23->32         started        35 RegAsm.exe 23->35         started        133 Modifies the context of a thread in another process (thread injection) 26->133 135 Sample uses process hollowing technique 26->135 87 dvdgfilms.com 80.84.234.180, 49735, 49736, 49737 ASN-PROSERVEAmsterdamNL Netherlands 28->87 89 www.findnearbyplumber.com 28->89 91 3 other IPs or domains 28->91 83 C:\Users\user\AppData\...\lfxhztfip4l.exe, PE32 28->83 dropped 137 System process connects to network (likely due to code injection or exploit) 28->137 139 Benign windows process drops PE files 28->139 37 msdt.exe 1 19 28->37         started        40 wlanext.exe 28->40         started        42 ipconfig.exe 28->42         started        44 6 other processes 28->44 file10 signatures11 process12 file13 103 Maps a DLL or memory area into another process 32->103 46 Purchase Order.exe 32->46         started        49 RegAsm.exe 32->49         started        105 Modifies the context of a thread in another process (thread injection) 35->105 107 Sample uses process hollowing technique 35->107 77 C:\Users\user\AppData\...\JL2logrv.ini, data 37->77 dropped 79 C:\Users\user\AppData\...\JL2logri.ini, data 37->79 dropped 81 C:\Users\user\AppData\...\JL2logrf.ini, data 37->81 dropped 109 Detected FormBook malware 37->109 111 Tries to steal Mail credentials (via file access) 37->111 113 Tries to harvest and steal browser information (history, passwords, etc) 37->113 51 cmd.exe 37->51         started        54 cmd.exe 1 37->54         started        115 Tries to detect virtualization through RDTSC time measurements 40->115 56 conhost.exe 44->56         started        signatures14 process15 file16 155 Maps a DLL or memory area into another process 46->155 58 Purchase Order.exe 46->58         started        61 RegAsm.exe 46->61         started        157 Modifies the context of a thread in another process (thread injection) 49->157 159 Sample uses process hollowing technique 49->159 75 C:\Users\user\AppData\Local\Temp\DB1, SQLite 51->75 dropped 161 Tries to harvest and steal browser information (history, passwords, etc) 51->161 63 conhost.exe 51->63         started        163 Tries to detect virtualization through RDTSC time measurements 54->163 65 conhost.exe 54->65         started        signatures17 process18 signatures19 147 Maps a DLL or memory area into another process 58->147 67 Purchase Order.exe 58->67         started        70 RegAsm.exe 58->70         started        149 Modifies the context of a thread in another process (thread injection) 61->149 151 Sample uses process hollowing technique 61->151 process20 signatures21 125 Maps a DLL or memory area into another process 67->125 72 RegAsm.exe 67->72         started        127 Modifies the context of a thread in another process (thread injection) 70->127 129 Sample uses process hollowing technique 70->129 process22 signatures23 141 Modifies the context of a thread in another process (thread injection) 72->141 143 Maps a DLL or memory area into another process 72->143 145 Sample uses process hollowing technique 72->145
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 06:41:07 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iy4mwyjydmxyp2ap2opuw3c7mypoejgioqjhzbuls56yns65puia._file
Verdict:
malicious
Similar samples:
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
26bf78c520963df1285a4d4fc240e9a9d7ce5b61f02a99416e618514c0f83b22
FormBook
2fee614c34dfea5c440c1d0b8bf14c206f82f85fe3a8db4c19dce56e48fa2172
FormBook
4334ef4236c8a8b7c1c3463875315f16b35ba1d4dfac8c67f8c0cb81f950d850
FormBook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9c1501fbd2eb669ccbe4a41e37770191e954e6f0dd3e0a954a0670a91df3917c
FormBook
a492b017c3e12fe55493c562ed1304155616cb61b24f6dce0bfcd3eb7a7bdaf5
FormBook
ad8c070c48103dbc11875a052aa0447395f6ddda11e3f9e8aed091f0bb14050d
FormBook
e8edf009c1c82f348ad925f7f9a34b4f241d52240c6cb43ab4536c4b363d5322
FormBook
+ 3'828 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-wyzd3383x6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Gathers network information
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip c8d006c17bb6bbd1504420c3732fe8d17a9d356c81b9a969d860de4e04e8d231

FormBook

Executable exe 4638cb61381b2f87e80fd39f4b6c5f661ee224c874127c868b977d86cbdd7d10

(this sample)

  
Dropped by
MD5 4c8378206e43cf170be6953724fa496f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c8d006c17bb6bbd1504420c3732fe8d17a9d356c81b9a969d860de4e04e8d231
Cape
Cape
https://www.capesandbox.com/analysis/30769/

Comments