MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d
SHA3-384 hash: 50b2ada47ab91489a9a889999d0ab6290aa1406bc8ebe78e5d82d4df50f77128228243c303328bb23dc1b403bdeef638
SHA1 hash: ea2fff8f75afad9534054803ed60f46d891f8fd6
MD5 hash: 413bd9d03c8347c4a3d654c9d478781b
humanhash: blue-lima-london-hotel
File name:Nepal Pharmaceuticals Laboratory.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:823'296 bytes
First seen:2020-08-03 15:07:23 UTC
Last seen:2020-08-03 16:03:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:aHP3kVwFTjmxO7SBEGx7A1p86tbg7eiHeHdbbKRreC67WQ:MPQwFHm2SBEG1Av1la+HdbbKRCC6v
Threatray 2'275 similar samples on MalwareBazaar
TLSH EC055B513949EC62C2A76B32DC8FC21443B9AD10A9D1DA17B5DA73ED0622BF7DC064CE
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.vreo.net
Sending IP: 143.95.90.162
From: nplmkt@npl.com.np
Reply-To: alfa@qualityservice.com
Subject: Nepal Pharmaceuticals Laboratory Pvt. Ltd. (NPL) / Request For Quotation
Attachment: Nepal Pharmaceuticals Laboratory.zip (contains "Nepal Pharmaceuticals Laboratory.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38010/
Detection(s):
SecuriteInfo.com.Generic.mg.413bd9d03c8347c4.19761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408195
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 15:09:07 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfi5em73q76wanxaxkw7noi45oi6xzowd7aeritzjgkjzbdwxawq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22d5036d18a7dbaf7a67487165b4bca434220d5d066ba9f74bc1ad20eb37290a
FormBook
31bbcec93f8b67bf3f88604f02be4ab02ef1b6b55829d864381db26848ee8773
FormBook
6d0c9ea95d779737b7e9ea2a838a0efede90f1d3c6ce91943e65067a82631b81
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
8247e9152d0b43ffa80b4c82843bb0903043841c8b9c855ff312461f6443faf4
FormBook
897c29c75ae58e4057c0d32c3704469a7ecfa4878f5d0c60ad8abe2fa821b0b0
FormBook
8e395f386862d95d1a2837a56ffac8ec6a8dacd3e61fac1912f1960ada8c5abd
FormBook
a14dc3eb54f3876b3a2bfc6e0aa105c832fc5424130c43248995cceda6790133
FormBook
cbbc3af13a3cc33ff5dffb137c7276dd246f9b9a696de51d6858461e986d4ebd
FormBook
db31ede125999d44d9c886d76eb8d5c5ee280f17130e3e3138bf1f76935d1b99
FormBook
+ 2'265 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200803-b42ccmb8ks/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip fad8c260778b6e2a684ae71519c759344f2f5dc06879dd27f5bbb87b7d06f3d9

FormBook

Executable exe 4951d233fb87fd6036e0baadf6b91ceb91ebe5d61fc048a27949949c8476b82d

(this sample)

  
Dropped by
MD5 ace0e2e39f8318e86aedc750075369fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38010/
  
Dropped by
SHA256 fad8c260778b6e2a684ae71519c759344f2f5dc06879dd27f5bbb87b7d06f3d9

Comments