MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48e669e665d2f7fc227318a06f5be1c3f89b596f09be1dae7b996437c0e56e04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48e669e665d2f7fc227318a06f5be1c3f89b596f09be1dae7b996437c0e56e04
SHA3-384 hash: ee805d426f1a969b87f8a081bbbca4b6fd8d3832503058f4d79c4e975f8f55e8771d7ccf1521750d2320e63453be237d
SHA1 hash: 5565ccb8f4ab5a2558fa21b6b1824bd1a37945b9
MD5 hash: 83e92e806bb6177ca40a3dea32eb6c44
humanhash: nitrogen-zulu-fruit-zebra
File name:sipariş.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:397'312 bytes
First seen:2020-07-22 09:17:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:mjqRXoFrtTPSwxPUm2GhNAr/lvlfyUv2I1rw2cag/ryY9RqQWuqFghYVkurd:m2RXoFpxPUm2iNSbBgV/D9MQYghvEd
Threatray 5'680 similar samples on MalwareBazaar
TLSH E684CF10FBF80BE9DB6947B5E06105609B79A51A67EAE30D1F91F0DC0932B819723F27
Reporter abuse_ch
Tags:exe FormBook geo TUR


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.linux66.papaki.gr
Sending IP: 136.243.173.169
From: Bihter Buyukaykin <bbuyukaykin@isyatirim.com.tr>
Subject: sipariş
Attachment: sipariş.zip (contains "sipariş.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31007/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394819
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249813 Sample: sipari#U015f.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 61 www.jimmysmarket.com 2->61 63 HDRedirect-LB5-1afb6e2973825a56.elb.us-east-1.amazonaws.com 2->63 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 7 other signatures 2->79 11 sipari#U015f.exe 5 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\nnAZLyFlUaWh.exe, PE32 11->49 dropped 51 C:\Users\user\AppData\Local\...\tmpDB1E.tmp, XML 11->51 dropped 53 C:\Users\user\...\sipari#U015f.exe.log, ASCII 11->53 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->85 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 95 Modifies the context of a thread in another process (thread injection) 15->95 97 Maps a DLL or memory area into another process 15->97 99 Sample uses process hollowing technique 15->99 101 2 other signatures 15->101 20 explorer.exe 1 6 15->20 injected 25 conhost.exe 18->25         started        process9 dnsIp10 65 www.lykzd.com 107.151.111.246, 49723, 49724, 49725 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 20->65 67 www.mantendo-yokohama.com 153.127.236.56, 49722, 80 KIRKAGOYAJAPANIncJP Japan 20->67 69 www.553485.top 20->69 47 C:\Users\user\AppData\...\phdpgpuczedufw8.exe, PE32 20->47 dropped 81 System process connects to network (likely due to code injection or exploit) 20->81 83 Benign windows process drops PE files 20->83 27 msdt.exe 1 19 20->27         started        31 phdpgpuczedufw8.exe 2 20->31         started        file11 signatures12 process13 file14 55 C:\Users\user\AppData\...\875logrv.ini, data 27->55 dropped 57 C:\Users\user\AppData\...\875logri.ini, data 27->57 dropped 59 C:\Users\user\AppData\...\875logrf.ini, data 27->59 dropped 87 Detected FormBook malware 27->87 89 Tries to steal Mail credentials (via file access) 27->89 91 Tries to harvest and steal browser information (history, passwords, etc) 27->91 93 3 other signatures 27->93 33 cmd.exe 2 27->33         started        37 cmd.exe 1 27->37         started        39 conhost.exe 31->39         started        signatures15 process16 file17 45 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->45 dropped 71 Tries to harvest and steal browser information (history, passwords, etc) 33->71 41 conhost.exe 33->41         started        43 conhost.exe 37->43         started        signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48e669e665d2f7fc227318a06f5be1c3f89b596f09be1dae7b996437c0e56e04/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 09:19:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdtgtztf2l37yittdcqg6w7byp4jwwlpbg7b3lt3tfsdpqhfnyca._file
Verdict:
malicious
Similar samples:
2c187355df4f12de133694fdf1d552ed894b937d9028fe1dc9e6b35af933578b
FormBook
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
FormBook
476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
FormBook
49aaf4ae6bf7f60a07c4ffc43ca0be27fce694446436dd07aac5db362142c2c8
FormBook
7e5f94868785df0e045c67a336a7add1207eccd4aef5a851f6b41b3c0579b71c
FormBook
80c2d3e3f00d60ab27069ab1d911bbccadd2ba38df47c098d1efc2a0092ff320
FormBook
867acb7e92cf736b5ad2ac094169b54f7b5a4c9c3b48d048a49058010d19d0db
FormBook
cf1390576f600dd52c89ddbbec49142b26638748b5fb696c3c2ac4583ab68b75
FormBook
dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b
FormBook
ea5ada6c08dbfc308e230059c103b5a4783675baf0ddce6ee90a9030f1936ec4
FormBook
+ 5'670 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence trojan spyware stealer family:formbook evasion
Link:
https://tria.ge/reports/200722-766962p7as/
Behaviour
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48e669e665d2f7fc227318a06f5be1c3f89b596f09be1dae7b996437c0e56e04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 7f273e0448f9659bb03962709ea6631ad5bf8b183e07553ca61b4876c111cb8c

FormBook

Executable exe 48e669e665d2f7fc227318a06f5be1c3f89b596f09be1dae7b996437c0e56e04

(this sample)

  
Dropped by
MD5 cfeca49376fcb40ea6808680fa967ce9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/31007/
  
Dropped by
SHA256 7f273e0448f9659bb03962709ea6631ad5bf8b183e07553ca61b4876c111cb8c

Comments