MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3
SHA3-384 hash: 8f42dbb14be46447d454394eb1f3e65901419fdad891249e33a75d5488c225ba3c7542378436f88ffda998294aeffa49
SHA1 hash: adf0aaf83b186fc9877c5632d66e11240db90f23
MD5 hash: 24e578762b065d2df269dbe5b25a725c
humanhash: purple-moon-missouri-michigan
File name:pjhjuc.jpg
Download: download sample
Signature Formbook
Create hunting rule
File size:876'544 bytes
First seen:2020-07-31 11:12:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd44fc7474cd1f02fae5c94314314eb4 (3 x Loki, 1 x AgentTesla, 1 x NanoCore)
ssdeep 12288:1esfUazLqCwtZKGdotXPk0XvuZFuj905RzZZaGkzlDajl9oZncIq0lCmwCZRnqy3:1zsEQD2Pk60A8NfmxigOIFF7T7
Threatray 2'254 similar samples on MalwareBazaar
TLSH 98157C22BEDC4432C3231A788F5B566C5936BD533935AA8A6BF52C48DF397807835393
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: akhaten.nordnet.ws
Sending IP: 144.76.106.247
From: zhouliywang009@yahoo.com <zhouliywang009@yahoo.com>
Subject: PO 17774
Attachment: PO 17774.xls

FormBook payload URL:
https://a.uguu.se/pjhjuc.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36460/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/405957
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255322 Sample: pjhjuc.jpg Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 34 www.scottwhit.com 2->34 36 www.hnyadl.com 2->36 38 3 other IPs or domains 2->38 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected FormBook 2->44 46 Machine Learning detection for sample 2->46 11 pjhjuc.exe 2->11         started        signatures3 process4 signatures5 56 Detected unpacking (changes PE section rights) 11->56 58 Maps a DLL or memory area into another process 11->58 60 Tries to detect virtualization through RDTSC time measurements 11->60 62 Contains functionality to detect sleep reduction / modifications 11->62 14 pjhjuc.exe 11->14         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 explorer.exe 1 14->17 injected process8 dnsIp9 28 xn--oy2b11lymexwcbzy.com 183.111.174.79, 49738, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 17->28 30 www.massvp.com 39.108.57.226, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 17->30 32 5 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 wlanext.exe 1 12 17->21         started        signatures10 process11 signatures12 48 Tries to steal Mail credentials (via file access) 21->48 50 Tries to harvest and steal browser information (history, passwords, etc) 21->50 52 Modifies the context of a thread in another process (thread injection) 21->52 54 2 other signatures 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-31 11:14:07 UTC
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfarya23zybtlbn7dkzhqj5l6xvnbsidcbsijdqiafh3dlxbqkzq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0e1253abec933b14f592f8ab6fcfaeba8fb3b9d24f9ef2a7021345d2fc738b3f
Formbook
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
Formbook
399013dde1bc2ce10effb58c3e970c8bf82d597c3b5f606a0e4ad79567515b2c
Formbook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
Formbook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
Formbook
4170e48189174a9cc84f6c019f454a20e30a35605be0f8e2a3e26a516e2c1090
Formbook
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
Formbook
5a744c8440f5d46b0bde9abe9086a5f1ee8c1a54104811fee10179d441af5508
Formbook
777d646e09cf725986f3617d40d5bca943d077015759e346e3e8f5314cac13ce
Formbook
fa355139bfaa9fcf4324154194f2cb280899be4863fd278c7b06440d84a14d39
Formbook
+ 2'244 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200731-lbs7yb3x9e/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Executes dropped EXE
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xls 6031b6aeab0b8c5111938e3c0819e717858aa3586bcdacea994d980ac36c5368

Formbook

Executable exe 49411c035bce033585bf1ab27827abf5ead0c9031064848e08014fb1aee182b3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/422782/
  
Dropped by
MD5 7689c98d5db51db149591210ad24c4ff
  
Dropped by
SHA256 6031b6aeab0b8c5111938e3c0819e717858aa3586bcdacea994d980ac36c5368
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/36460/

Comments