MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
SHA3-384 hash: 20723c8fc6d539702b30740901934295784ed1d855ca763fc79e415b198db5f7422a7d62fa3be57d6c8eea68198b276b
SHA1 hash: 3b2e603bfc8a7491b39c2b727f12d62358cef795
MD5 hash: 1325e793007a9ea3807988d6154b12ba
humanhash: avocado-april-apart-thirteen
File name:S12GF803.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:566'784 bytes
First seen:2020-10-05 11:20:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:JqsXWjM6SAMdxEaExI2dNFv5WVh6FNhVonj:JqL3MrfExI2dwVh6F5oj
Threatray 2'306 similar samples on MalwareBazaar
TLSH E3C4BEB58E442AD7C7AD1975C400A23052FEFE091351FA6B2FA67CD172B3249BB61EC4
Reporter abuse_ch
Tags:DEU exe FormBook geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: pizza-vip06.virtualhosting.hk
Sending IP: 203.135.158.191
From: edward.sun@hengtai-law.co.uk
Subject: Gerichtsbeschluss
Attachment: S12GF803.zip (contains "S12GF803.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68142/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481284
Signature
Benign windows process drops PE files
Creates an undocumented autostart registry key
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293083 Sample: S12GF803.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 5 other signatures 2->62 10 S12GF803.exe 3 2->10         started        process3 file4 46 C:\Users\user\AppData\...\S12GF803.exe.log, ASCII 10->46 dropped 76 Tries to detect virtualization through RDTSC time measurements 10->76 78 Injects a PE file into a foreign processes 10->78 14 S12GF803.exe 10->14         started        signatures5 process6 signatures7 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Sample uses process hollowing technique 14->86 88 Queues an APC in another process (thread injection) 14->88 17 explorer.exe 6 14->17 injected process8 dnsIp9 50 www.thamys.xyz 199.192.22.171, 49751, 49752, 49753 NAMECHEAP-NETUS United States 17->50 52 www.svipjv4y.com 104.27.148.242, 49746, 49747, 49748 CLOUDFLARENETUS United States 17->52 54 www.wlmio.com 66.96.160.157, 49744, 80 BIZLAND-SDUS United States 17->54 38 C:\Users\user\AppData\...\2dj8anupd4ft8nh.exe, PE32 17->38 dropped 40 C:\...\2dj8anupd4ft8nh.exe, PE32 17->40 dropped 64 System process connects to network (likely due to code injection or exploit) 17->64 66 Benign windows process drops PE files 17->66 22 msdt.exe 1 18 17->22         started        26 2dj8anupd4ft8nh.exe 2 17->26         started        file10 signatures11 process12 file13 42 C:\Users\user\AppData\...\5QNlogrv.ini, data 22->42 dropped 44 C:\Users\user\AppData\...\5QNlogri.ini, data 22->44 dropped 68 Detected FormBook malware 22->68 70 Creates an undocumented autostart registry key 22->70 72 Tries to steal Mail credentials (via file access) 22->72 74 4 other signatures 22->74 28 cmd.exe 2 22->28         started        32 cmd.exe 1 22->32         started        signatures14 process15 file16 48 C:\Users\user\AppData\Local\Temp\DB1, SQLite 28->48 dropped 80 Tries to harvest and steal browser information (history, passwords, etc) 28->80 34 conhost.exe 28->34         started        36 conhost.exe 32->36         started        signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 07:40:23 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krwksfkn3rbfqqzzdosf3is5mdsmrhmf2ng7yubi7nlo3fegdo7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0de7b2b7c4e9974b9343de9666287a7137614cbcffc5f89932601b503712002a
Formbook
23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5
Formbook
2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01
Formbook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Formbook
3a10c525b2f0a94e7e9facfa4685490e9a46d0d6a62be53f570fa845cd680c56
Formbook
4f90d42980450652ef19fe55ebea9e68683b4d29027900dcbeb5c26d298318fc
Formbook
53b891cd07ba659cbb5c1ced0b3099ce57990b4f90f8d27a36371df0b64060b1
Formbook
a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
Formbook
b48d79e441c68b5204400caff6884ae11446ea12336a66bdf4b8174e9fe3b8a8
Formbook
d732985d24a02a21df8e93598ea0431ae1e9a89a1afcac240e758130517d625e
Formbook
+ 2'296 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/201005-326pbw3tye/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.thamys.xyz/gss/
Unpacked files
SH256 hash:
546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
MD5 hash:
1325e793007a9ea3807988d6154b12ba
SHA1 hash:
3b2e603bfc8a7491b39c2b727f12d62358cef795
Link:
https://www.unpac.me/results/6838c79d-0d92-4618-9d71-b4861bb7d02c/
SH256 hash:
01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a
MD5 hash:
eb593633270aa19162cf64663df9dd6c
SHA1 hash:
2ec57181471ff10abe9a04239ca3ea86ea4252b9
Link:
https://www.unpac.me/results/6838c79d-0d92-4618-9d71-b4861bb7d02c/
SH256 hash:
df8c2b62d8eed13ec8262a925897de8c3e24a812d3d82857aaef0992d85a83c0
MD5 hash:
44d7ea93b5b6757691cad6f27995e4e0
SHA1 hash:
45ea5fbd4edb77f4b3855bd8e68086afe5d99297
Link:
https://www.unpac.me/results/6838c79d-0d92-4618-9d71-b4861bb7d02c/
SH256 hash:
26e43cf1912523208a019992335ad325183dd59309eff05a78b53778f08ac855
MD5 hash:
63a894152d3255f42dcbb5251e470eb2
SHA1 hash:
6f2ed3894180651b6aff1db48e5518b49094f80b
Link:
https://www.unpac.me/results/6838c79d-0d92-4618-9d71-b4861bb7d02c/
SH256 hash:
815dba4fc93f63797acb27d5f67848d32845c2ff42618115d9c98bfe778f5cef
MD5 hash:
c7631fcb7db6695b49f92612a6383de7
SHA1 hash:
14bbadd62fa0ad080cfa96f1e697ba009acb2182
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6838c79d-0d92-4618-9d71-b4861bb7d02c/
Parent samples :
546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
b4ccfbaa38c2372df5f18489426a89f3bedc15aefbd829179e88d672149bdd30
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip bb0cc060eaafa27b09bc56236fde9c66d8272be6bc8d66abf8f7c361ae3b6e99

Formbook

Executable exe 546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf

(this sample)

  
Dropped by
MD5 282f33b9fa44c94db0e924c01133987a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68142/
  
Dropped by
SHA256 bb0cc060eaafa27b09bc56236fde9c66d8272be6bc8d66abf8f7c361ae3b6e99

Comments