MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984
SHA3-384 hash:	d6c7f10dc9b9397c7e0927feacd7fc39a0d92b7cba726020ee17cef82dd3d93232d0e7fe9107b8a747c79e44428af446
SHA1 hash:	b9b7f1ede1802af32765f8063ebb7306ca3d23c5
MD5 hash:	ce35c84bc463eca5f6d02214d8874bbc
humanhash:	kilo-august-missouri-oven
File name:	PO#9943440.pdf.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	907'264 bytes
First seen:	2020-08-17 06:04:18 UTC
Last seen:	2020-08-17 07:00:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:lS1QbvgWK5WpL2ElsYKPg1k4FGEE282+13sf8irOhRxuX:EQbvxaWUE/vCEEb
Threatray	2'240 similar samples on MalwareBazaar
TLSH	3B15C52F3482DE74D829017F2824DDC1E724AD453EC4BA2E629A72CD6F2F676663350D
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing Formbook:

HELO: slot0.stauboi.com
Sending IP: 45.95.168.229
From: import and export department <orderss@stauboi.com>
Reply-To: import and export department <orderss@stauboi.com>
Subject: order PO#9943440
Attachment: PO9943440.pdf.rar (contains "PO#9943440.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/46620/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.34373592.12256.14367.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Sending a UDP request

Creating a file

Creating a process from a recently created file

Launching a process

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/432512

Signature

Allocates memory in foreign processes

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-16 22:55:30 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j7lm7ngaqm4orm5g5rsbdcvgvwidkdugl2idmw23oafkigiixgca._file

Verdict:

malicious

Formbook

112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818

Formbook

3d8ff1b4492a541b44c03733b090c73fd992535d8c4e867abc0e6aeaf5b58b30

Formbook

7fcf92c7dcd71c8dd4d0b073877afb90075305390ccf6e3a50ca598211e0469f

Formbook

9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8

Formbook

a4fb872505b79e9ecf7b8f1a2c4081e2e31edee3b4c5f30748fdfb0973ae21c6

Formbook

a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453

Formbook

b20e67792a0edf233f319f7af96f189451bb8cd4df24c93fcf0e586a473f552d

Formbook

b25e43fe3f6068eb13b79f8900dea897533005aee7e2139e6676b7cdc92cc588

Formbook

fc95c84eb428f263fef3220d512a2f602570f2acb41a46114244c30af48fd51b

Formbook

+ 2'230 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

agilenet rat trojan spyware stealer family:formbook persistence

Link:

https://tria.ge/reports/200817-kb1cdl6vfe/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Adds policy Run key to start application

Executes dropped EXE

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.iskovlay.com/gdo/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator