MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc
SHA3-384 hash:	76d3fdf5ffdd4ffe9658d7d3a2b499173247d92155f898029a89d2499502b3d9e5781b1f0d3d93eb5f131d64b889cdaa
SHA1 hash:	7f2ba3c7ab10e5eae8b51fa4cb490ec30b45b99e
MD5 hash:	54c2f72c614b21d11de273ba0d2f9231
humanhash:	oklahoma-north-bacon-golf
File name:	dhl_27022020_9887228996_78855.PDF.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	744'960 bytes
First seen:	2020-08-03 10:37:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	831ec412be4cd06baa632b18086fedb4 (12 x AgentTesla, 6 x MassLogger, 6 x Loki)
ssdeep	12288:CZnVKDTViiHWs0H/3b6Wx/wtmqOFOUW3WNg3hVnCFUv:k44isf3bXot2CWojn
Threatray	5'099 similar samples on MalwareBazaar
TLSH	E1F4AEE2A6F04533C1272A3CBC5B67749C29BF106A68B8766FF51C4C4F3969138E5293
Reporter	theDark3d
Tags:	dealply exe FormBook malware

Intelligence

File Origin

# of uploads :

1

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/37726/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.DownLoader34.17081.19453.3260.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Launching cmd.exe command interpreter

Sending a UDP request

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/407779

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Sigma detected: Suspicious Double Extension

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected FormBook

Behaviour

Behavior Graph:

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-03 07:39:20 UTC

AV detection:

41 of 48 (85.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kz2qdtvalbsngakpwkonjv2owpqy37p3opygnh24awjpy43xtl6a._file

Verdict:

malicious

Label(s):

netwirerc

Similar samples:

0712880b972cad9ec58187e7539ff826d2113ce5b48fbbe030a850811b32b921

19f43d1f8fd11eccbdb2d9ce05a16983fe394cbd92943bc57943e4bbbb686687

5f22638781b28d9e3675562cf51489eca061600d6b62ea2f16c945649553e2d7

7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52

7f12ab6909f7a932ee097634ab529b1e2c1f07534097785c90ff03eb9671e784

887de911a26e0008429adcba8abc212d36423fae62d40aa1df57e2883db77d45

a5343eacd38eeb6e79c054f2a9bdf40573293e9f7f5cff05965b26cd0aa2c308

aa75e63b890a713e629ed607eb77aceb60982bd0027a9189893c0ac63827f116

d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9

d61447d5653bc8e81c91e487864e2ea56fe6700fa720e4b6b07040c9b50db868

+ 5'089 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat trojan spyware stealer family:formbook

Link:

https://tria.ge/reports/200803-whznhc1man/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Formbook Payload

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/37726/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample