MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
SHA3-384 hash: 80e50ea8b772c9a38f18f6b7702f872a29a70fa6e311b6aae1dd1e5f78dde4eecc4a41c0dba18a8348b42ea55c717e6a
SHA1 hash: 8e43d8ed2743c5ddd7f92577139ad5f61503bf7c
MD5 hash: 463c4ab7d6fb5ccf5a6390016276ab2e
humanhash: carbon-rugby-maryland-oscar
File name:INV202010778369.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:524'800 bytes
First seen:2020-10-21 08:05:25 UTC
Last seen:2020-10-26 07:07:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0/XSzROZ1fEJ7lS/2Ius+ErPVmba3iAAt150WbtM25:uX5hk7lk2Ius+ErtmmWt/tM2
Threatray 2'583 similar samples on MalwareBazaar
TLSH 2BB4F13212A86F61E67E9B3C6031200013F4F13BD7A3E59DBDE990DE19B6F458172B69
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: box.dhlexpressmx.xyz
Sending IP: 192.236.209.16
From: Grupo Bamex. S.A. de C.V. <office@dhlexpressmx.xyz>
Subject: Re: Recibo De Remesa - INVJO2002534/10/778369
Attachment: INVJO 2002534 01IG0_PDF.IMG (contains "INV202010778369.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73889/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3706.30703.425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505385
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301722 Sample: INV202010778369.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Sigma detected: Steal Google chrome login data 2->54 56 7 other signatures 2->56 10 INV202010778369.exe 3 2->10         started        process3 file4 38 C:\Users\user\...\INV202010778369.exe.log, ASCII 10->38 dropped 68 Writes to foreign memory regions 10->68 70 Allocates memory in foreign processes 10->70 72 Injects a PE file into a foreign processes 10->72 14 vbc.exe 10->14         started        17 vbc.exe 10->17         started        signatures5 process6 signatures7 76 Modifies the context of a thread in another process (thread injection) 14->76 78 Maps a DLL or memory area into another process 14->78 80 Sample uses process hollowing technique 14->80 82 Queues an APC in another process (thread injection) 14->82 19 explorer.exe 14->19 injected 84 Tries to detect virtualization through RDTSC time measurements 17->84 process8 dnsIp9 42 recruit-marilyn.com 49.212.235.228, 49741, 49742, 49743 SAKURA-CSAKURAInternetIncJP Japan 19->42 44 www.boyuoqmzia.site 18.182.6.150, 80 AMAZON-02US United States 19->44 46 2 other IPs or domains 19->46 58 System process connects to network (likely due to code injection or exploit) 19->58 23 netsh.exe 18 19->23         started        signatures10 process11 dnsIp12 48 www.boyuoqmzia.site 23->48 34 C:\Users\user\AppData\...\K63logrv.ini, data 23->34 dropped 36 C:\Users\user\AppData\...\K63logri.ini, data 23->36 dropped 60 Detected FormBook malware 23->60 62 Tries to steal Mail credentials (via file access) 23->62 64 Tries to harvest and steal browser information (history, passwords, etc) 23->64 66 3 other signatures 23->66 28 cmd.exe 2 23->28         started        file13 signatures14 process15 file16 40 C:\Users\user\AppData\Local\Temp\DB1, SQLite 28->40 dropped 74 Tries to harvest and steal browser information (history, passwords, etc) 28->74 32 conhost.exe 28->32         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 19:22:09 UTC
AV detection:
24 of 25 (96.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfb6b6aqyii54e2pois4ela5iu62rlfqwz3uxbvwb3vqqs3bun5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12898cbec097104c225702c61e311cc6e12d0f4ac55b95a1eb41a812e6941748
FormBook
2f96167c307b2b82ca3ed1b6b6368b607cb075e178aef0ea4ff7bd4c203e7d6b
FormBook
41460fb3f977f3130a43b79af43befae6f7ba72270f20d4f928fd35bdd28ec0b
FormBook
5eb9ca5476eb4c9c83bbb5d6bbb7ff90474749121e2e063bbd9e988c4e4917e2
FormBook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
FormBook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
FormBook
a9ee569395b89fd6a4a129896d38f1ed68fb6b512bbd54cdf570ec4f2ea70497
FormBook
b9225c079305112fcd1d5be698796eb426a668779daff06b99986266c161ab52
FormBook
d0d44ccb48b649e89a18773ccea8337047e57247d29dbedc1abab31f265e7e45
FormBook
ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e
FormBook
+ 2'573 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/201021-nb9a7drbzn/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.skailanirecruiting.com/rzt/
Unpacked files
SH256 hash:
5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
MD5 hash:
463c4ab7d6fb5ccf5a6390016276ab2e
SHA1 hash:
8e43d8ed2743c5ddd7f92577139ad5f61503bf7c
Link:
https://www.unpac.me/results/cefd334f-dd4b-4253-97ec-ec6deb731e8c/
SH256 hash:
a463743c6edefcbde5afb0f30a71a96a9ad568f80b44d71798a56fd22d989981
MD5 hash:
e8346804ba810dbee744be722e27c52b
SHA1 hash:
8b1a57965e2ca056248229ed370be2e381bd5ae8
Link:
https://www.unpac.me/results/cefd334f-dd4b-4253-97ec-ec6deb731e8c/
SH256 hash:
67c381af41fe45302a8c95d27766bf2a39a30aee11bca3c22252fb79000ceb0f
MD5 hash:
73fad838fcfc5c445a53cd934b929412
SHA1 hash:
ddd29fbb3ddb8624fcd1056c8901053f25110e05
Link:
https://www.unpac.me/results/cefd334f-dd4b-4253-97ec-ec6deb731e8c/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/cefd334f-dd4b-4253-97ec-ec6deb731e8c/
SH256 hash:
1012895ff8985de127b3aa8a24dd0acf16509c9a9a68b0eef3b28463fd61d2ea
MD5 hash:
aee42f7575eafc4c75ab86b9c98df77c
SHA1 hash:
21b98de1c00b6ea67dcade532c29306dff331850
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/cefd334f-dd4b-4253-97ec-ec6deb731e8c/
Parent samples :
c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0
5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 876005dcba89dd510717592ef26fc586299a6233c2cae3428b471b77162cd2cd

FormBook

Executable exe 5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a

(this sample)

  
Dropped by
MD5 c03a44a15700384fc2cf0b041e1d121a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73889/
  
Dropped by
SHA256 876005dcba89dd510717592ef26fc586299a6233c2cae3428b471b77162cd2cd

Comments