MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332
SHA3-384 hash: 11f64afbc76bb23f7bd4905aaf43f5e8e4a74c61017c533a6c874854c6ba42b5368f56c2a6080dfba3ec40539caddc9e
SHA1 hash: 7a3900db8acec2a8a293563963d8371dbe4f6df6
MD5 hash: 2f7fc0ad5ebe2369e82cedf686e36ba2
humanhash: wyoming-apart-tennis-west
File name:winlog.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:480'183 bytes
First seen:2020-08-13 08:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f4223e271413c25abad52fd456a9bc (21 x GuLoader, 15 x Loki, 10 x AgentTesla)
ssdeep 6144:0HfYbOdqdWWt3CrpahP7wR+6lkm8HmvFqpByyvwX9AI0G6Du48pV7Qe4MKNj0JfH:0RddWtSrpvlkm8uFq+PQS9pgMN31HP04
Threatray 2'207 similar samples on MalwareBazaar
TLSH 22A423443BE1E0A5E991C1708D7B3ABA82D1CF56EAB36F0793903A9174715C0BA1F3D6
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: eazymail.cloudissp.com
Sending IP: 202.6.21.19
From: SHANGHAI CHANCO ENTERPRISE DEVELOPMENT CO.,LTD <sunkeke@quanke.com>
Subject: NEW ORDER FOR SHIPMENT TO CHINA...
Attachment: NEW ORDER.xlsx

Formbook payload URL:
http://kungwsdycommunicationtarisupliermg43rax.duckdns.org/kungdoc/winlog.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44959/
Detection(s):
PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.ObfusRansom.bc.6542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/425447
Signature
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265290 Sample: winlog.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 88 42 Malicious sample detected (through community Yara rule) 2->42 44 Yara detected FormBook 2->44 46 Uses netstat to query active network connections and open ports 2->46 10 winlog.exe 36 2->10         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\rcxdti.dll, PE32 10->26 dropped 28 C:\Users\user\AppData\...\DesktopDMA.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\Local\...\resToResX.exe, PE32 10->30 dropped 32 6 other files (none is malicious) 10->32 dropped 13 rundll32.exe 10->13         started        process5 signatures6 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->50 52 Hijacks the control flow in another process 13->52 54 Maps a DLL or memory area into another process 13->54 16 cmd.exe 13->16         started        process7 signatures8 34 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->34 36 Modifies the context of a thread in another process (thread injection) 16->36 38 Maps a DLL or memory area into another process 16->38 40 3 other signatures 16->40 19 explorer.exe 16->19 injected process9 process10 21 NETSTAT.EXE 19->21         started        signatures11 48 Tries to detect virtualization through RDTSC time measurements 21->48 24 cmd.exe 21->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 05:25:59 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcksw6ylh3pli6yh6hjkb64hqvvrmvkq4r6gaxco6t5r3juzumza._file
Verdict:
malicious
Similar samples:
06cedd3e446db41cd53877ce7b7c24c31bc034260d7de377c01bb06e1ea9add0
FormBook
0e661b488a5571afb39ddf31bda089f7c032ed0a077501c3b7c8a31a0a6442d6
FormBook
4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34
FormBook
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
FormBook
7f6ab9c1ee0cee3b51e076a98ad0b05416e87de438d475a8137d80405f75ac24
FormBook
8a1f8815b2d54f7171358001bec7be97d87660a29d8bce9d247da901b012f594
FormBook
8df5858f489a1dd9f113eda4dbe0aded3fd5a128dd32e991e94c5a2b7623ba64
FormBook
d4405060b30fab298c2747fc58ec301dfa160be2df3e335a78900fac044a2493
FormBook
d789a675b16eca7a3d78fffd03d6dfc18a396d6eac4da2472b99700ff1cb09c7
FormBook
f69e7749b6798b4c4f258eebbedc77992536cc24bef9d1bf3d68315ad16abcf0
FormBook
+ 2'197 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200813-1ybwyfs5t6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.yofdyk.com/mg1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx f81cf230ed6e4a685e6365a8f65c80b996de3614be72d2baaf0175ec9077ecc6

FormBook

Executable exe 60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/431683/
  
Dropped by
MD5 0203cea44f35e85f238d174c5f6da56a
  
Dropped by
SHA256 f81cf230ed6e4a685e6365a8f65c80b996de3614be72d2baaf0175ec9077ecc6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44959/

Comments