MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558
SHA3-384 hash: ddff32a19c34fa0e3aedaad51c4a77b948caaec357c35618d53cf3809f9e27cc7b4a93a34af3b1682af42183bdecf53a
SHA1 hash: c38a41159393133fc2faaf307b38ef7a335cdce8
MD5 hash: eb87faad8a3257ed0639fe97aa137150
humanhash: gee-vegan-kitten-bacon
File name:proceed.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:3'430'912 bytes
First seen:2020-12-09 11:05:05 UTC
Last seen:2020-12-09 13:02:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 98304:jjq09EKiUi4YEnlKlZarxAdlrcsxriNpj:jjq0tvi4t4aQdLij
Threatray 3'155 similar samples on MalwareBazaar
TLSH B8F5F142A711CBE0DEB5B2BF13645B1D23F5F4DB1AC1C3595F0A8AE199932C1AA8D70C
Reporter abuse_ch
Tags:exe FormBook geo TUR


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: racinformatica.infortelecomhosting.com
Sending IP: 84.246.211.222
From: Tolgahan KARAYEL <tkarayel@alfaglb.com>
Subject: SON HATIRLATMA!! vadesi gelen ödeme
Attachment: SKM Teklif scanned.rar (contains "proceed.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
proceed.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 11:13:58 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/1051adb3-f79a-458d-92e2-0b36b9eb957f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107462/
Detection(s):
SecuriteInfo.com.Generic.mg.eb87faad8a3257ed.28611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558922
Signature
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328559 Sample: proceed.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Yara detected FormBook 2->38 40 .NET source code contains very large array initializations 2->40 42 3 other signatures 2->42 10 proceed.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\proceed.exe.log, ASCII 10->28 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->52 14 mscorsvw.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 2 other signatures 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.mybestme.store 213.186.33.5, 49749, 80 OVHFR France 17->30 32 mywillandmylife.com 34.102.136.180, 49748, 49759, 80 GOOGLEUS United States 17->32 34 7 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3vluut3bdllwqllcldmfn5u2vm7z23f2ctroobzuy5hjlga6vma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
Formbook
29562212d731f51f5773e7996530971ccecfe84d6116bcbdbb3e41e6a2054b9a
Formbook
4e98a7f7084a5fa80d8e1dd45e8b8f8a1f9fc891d223cc265524cfcfe3c57c0b
Formbook
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
Formbook
82c53ee74253581efe369c99373d6c978b3b9b799eb04de6c4eb59d2825e8ee2
Formbook
af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a
Formbook
bbb95e154a42908b2bbb1797d8b6178343b7c084158183f628b5c4bf3fe5ac7d
Formbook
d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
Formbook
fa1c05c7ea1e94e08982755ca1d13051a6cd334fa3e93aa98b5bcc2ebb910f59
Formbook
fe0ec12b661e1ffaa00bb79f06c7478e37beb2437ecbbb85e7d149b53ac79111
Formbook
+ 3'145 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201209-kgpc6gfd6j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.registeredagentfirm.com/jqc/
Unpacked files
SH256 hash:
4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558
MD5 hash:
eb87faad8a3257ed0639fe97aa137150
SHA1 hash:
c38a41159393133fc2faaf307b38ef7a335cdce8
Link:
https://www.unpac.me/results/eee1f0de-4244-45e7-882f-b72320048f67/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/eee1f0de-4244-45e7-882f-b72320048f67/
SH256 hash:
9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037
MD5 hash:
6e53bc3c0364eefd1d448d25e026975d
SHA1 hash:
f11ea87b0638531f442b113feb19dbaae81ad518
Link:
https://www.unpac.me/results/eee1f0de-4244-45e7-882f-b72320048f67/
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/eee1f0de-4244-45e7-882f-b72320048f67/
SH256 hash:
d8dad4f2876c2fbf8cc4e826910b4cf5975bad5c053aa0c5746eb692c4765737
MD5 hash:
b8342f3982ebd8a24144daa6b5e0df8a
SHA1 hash:
d284aabefad8efe52cabcbb475d14e184c49c15b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/eee1f0de-4244-45e7-882f-b72320048f67/
Parent samples :
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558
d69b7f8a3a50e7357a74fb671743c58b8db46f3f5cc6b191ba636eb33a161672
d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
cd63e20a002279934bc2ed4887d77605686a79f28f8114f9c01b678754a1e10a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 21d262f859463a81194b9413df0e92001b0219aeafccaade063ee1c08b919bbe

Formbook

Executable exe 4eeaba527b08d6bb416b12c6c2b7b4d559fceb65d0a7173839a63a74acc0f558

(this sample)

  
Dropped by
MD5 5b68d432493edafebee1b3ffa4d36e65
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 21d262f859463a81194b9413df0e92001b0219aeafccaade063ee1c08b919bbe
Cape
Cape
https://www.capesandbox.com/analysis/107462/

Comments