MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb1215ffaab1feb117a9df705adb8b385ce4e345103da10e05438d0a6052791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cb1215ffaab1feb117a9df705adb8b385ce4e345103da10e05438d0a6052791
SHA3-384 hash: aed671412d72c8c8211a5b8a77b3f7807aaa3e996e0d51f0a07ca9d848f5b075aa6d27cc68c6c239f303248f2cb91e66
SHA1 hash: b6ce35cbb3019e02e4d47c3ceec9d92453fe61d1
MD5 hash: 4e173915157c9646db50ca2d8b3af396
humanhash: chicken-ohio-oven-floor
File name:Doc_82734872443.pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:287'744 bytes
First seen:2020-07-21 09:51:31 UTC
Last seen:2020-07-21 11:24:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:X1DBsiMZqqxUqbGour7Sps5zx6vP6wvgx6evkZ0G3:X1DBfQbUQGbvMs66YTZB
Threatray 5'110 similar samples on MalwareBazaar
TLSH 145412275BF4637FC49D87BE8042661053B0E221980BF6481ED6841A25B77D94FF27B7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.megatronglasses.partners
Sending IP: 162.241.205.179
From: Ryo SAKAI <info@megatronglasses.partners>
Subject: DC and UPS System / RFQ Issuance / Cut-off date : 2020-07-29 [TongYeong CCPP]
Attachment: Doc_82734872443.pdf.img (contains "Doc_82734872443.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30028/
Detection(s):
SecuriteInfo.com.Generic.mg.4e173915157c9646.29657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392961
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248846 Sample: Doc_82734872443.pdf.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 51 www.drjaysarkar.com 2->51 53 drjaysarkar.com 2->53 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 10 other signatures 2->67 11 Doc_82734872443.pdf.exe 2->11         started        signatures3 process4 signatures5 83 Detected unpacking (creates a PE file in dynamic memory) 11->83 85 Tries to detect virtualization through RDTSC time measurements 11->85 87 Injects a PE file into a foreign processes 11->87 14 Doc_82734872443.pdf.exe 11->14         started        process6 signatures7 89 Modifies the context of a thread in another process (thread injection) 14->89 91 Maps a DLL or memory area into another process 14->91 93 Sample uses process hollowing technique 14->93 95 Queues an APC in another process (thread injection) 14->95 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 45 www.fidem-consecuta.com 213.171.195.105, 49719, 80 ONEANDONE-ASBrauerstrasse48DE United Kingdom 17->45 47 www.quidoz.com 162.0.224.62, 49720, 49721, 49722 NAMECHEAP-NETUS Canada 17->47 49 www.thekontainers.com 17->49 37 C:\Users\user\AppData\...\audiodgbjnhwjx0.exe, PE32 17->37 dropped 69 System process connects to network (likely due to code injection or exploit) 17->69 71 Benign windows process drops PE files 17->71 22 rundll32.exe 1 18 17->22         started        26 audiodgbjnhwjx0.exe 17->26         started        28 msdt.exe 17->28         started        file10 signatures11 process12 file13 39 C:\Users\user\AppData\...\31-logrv.ini, data 22->39 dropped 41 C:\Users\user\AppData\...\31-logri.ini, data 22->41 dropped 43 C:\Users\user\AppData\...\31-logrf.ini, data 22->43 dropped 73 Detected FormBook malware 22->73 75 Tries to steal Mail credentials (via file access) 22->75 77 Tries to harvest and steal browser information (history, passwords, etc) 22->77 81 2 other signatures 22->81 30 cmd.exe 1 22->30         started        32 audiodgbjnhwjx0.exe 26->32         started        79 Tries to detect virtualization through RDTSC time measurements 28->79 signatures14 process15 signatures16 35 conhost.exe 30->35         started        55 Modifies the context of a thread in another process (thread injection) 32->55 57 Maps a DLL or memory area into another process 32->57 59 Sample uses process hollowing technique 32->59 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4cb1215ffaab1feb117a9df705adb8b385ce4e345103da10e05438d0a6052791/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 09:53:05 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsyscx72vmp6wel2tx3qllnywoc44trukeb5uehakq4nbjqfe6iq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
5bd27386ef3a7ad330e244fc7db1624b950b4edf0bcec08e98ac58c9d5e7422d
FormBook
6012fb54cc0a67842710e7189ebfa42c27d30f18a604fbb4122734fb23b7accd
FormBook
6b17c7fa9318e19b00115ee75af6c8ee3b811e7983ed96ae819461482834137e
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
baf23acf5e1b9e4bd094eac1e69d2971ad2259d407f6572e43598cfcdb5806d8
FormBook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
FormBook
d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be
FormBook
ed3e93996b60fbaeb82c59f62dc3dcee809b229748ad7772829a8f738e307cbd
FormBook
f708f99bcb86bc017f5b34435a241cb77fa4bc4c37d47b85f1ecc43e9ddc365c
FormBook
+ 5'100 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200721-j9dny1af16/
Behaviour
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/4cb1215ffaab1feb117a9df705adb8b385ce4e345103da10e05438d0a6052791

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 680102e99ee308c093718ac34d2adfae32917b6892ecaea61a20303c6e041de3

FormBook

Executable exe 4cb1215ffaab1feb117a9df705adb8b385ce4e345103da10e05438d0a6052791

(this sample)

  
Dropped by
MD5 ff03da8debe83ea02ae2fdb1b43f78b5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30028/
  
Dropped by
SHA256 680102e99ee308c093718ac34d2adfae32917b6892ecaea61a20303c6e041de3

Comments