MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664
SHA3-384 hash: 3cba90cfcec2ee84fd51831f5bb98f9f2be58f052c772c5b749d6f1d107fcc555aa8ca8e4169554171f6b6ce33ff81ac
SHA1 hash: 4abbc932878a42eec7a438fc383370e83ea43d7e
MD5 hash: 30a88aaca2412bcc3914382dce41ae1a
humanhash: kansas-virginia-helium-mississippi
File name:PURCHASE ORDER.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:547'328 bytes
First seen:2020-07-16 09:22:01 UTC
Last seen:2020-07-16 10:05:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:xOUOcG/7MS/3oKwi2k4zUURMfus1rRimGmEHmVMg:xr1GzMc3odWig
Threatray 5'503 similar samples on MalwareBazaar
TLSH BAC47DC87510719EC85E8E758964DC30A6203C66F7FBE20A63C77D9F7A3E587DA011A2
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26612/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.26132.17782.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389513
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246942 Sample: PURCHASE ORDER.exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 35 www.beejson.com 2->35 37 nm.aicdn.com 2->37 39 image-upyun-beejson.b0.aicdn.com 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 11 PURCHASE ORDER.exe 3 2->11         started        signatures3 process4 file5 27 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 11->27 dropped 14 PURCHASE ORDER.exe 11->14         started        process6 signatures7 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Maps a DLL or memory area into another process 14->57 59 Sample uses process hollowing technique 14->59 61 Queues an APC in another process (thread injection) 14->61 17 explorer.exe 14->17 injected process8 dnsIp9 29 www.roofingscontractors.com 17->29 31 www.restaurantkilimanjaro.com 17->31 33 www.drakorsubindo.site 17->33 20 mstsc.exe 17->20         started        process10 signatures11 49 Modifies the context of a thread in another process (thread injection) 20->49 51 Maps a DLL or memory area into another process 20->51 53 Tries to detect virtualization through RDTSC time measurements 20->53 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 09:23:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4ruupwdx4wt4zjzujjccwk5pep462g35u42sqtfdam4ot6dyzsa._file
Verdict:
malicious
Similar samples:
0725fa234dd7f9bdcbcd0eef96c79017200f5c27676e4126a00c6d33e6601a5a
Formbook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
Formbook
27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f
Formbook
2bde8d605b2ce54ea697cab8be4daff0c2349322b42a96c8a9237ac7eff35314
Formbook
43a2a98bb50daedc36c6f08ab5698638de59f80ad30f9754b8ff690d90c088f3
Formbook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
Formbook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
Formbook
6d0c9ea95d779737b7e9ea2a838a0efede90f1d3c6ce91943e65067a82631b81
Formbook
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
Formbook
faf1dca0b043816dc1a448c778e8fc03030add15983e04a7cc39851297615c4f
Formbook
+ 5'493 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200716-jcjstct1re/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz ad6d02dac950318df1efa004cb9368216b5b4f857fe510c29f64bcad6ae94ad5

Formbook

Executable exe 57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/26612/
  
Dropped by
SHA256 ad6d02dac950318df1efa004cb9368216b5b4f857fe510c29f64bcad6ae94ad5

Comments