MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab
SHA3-384 hash: fef4bcb7b20917c79c09ea11687a5229b32626b86ec28685ee03d1963975c7a5e4cc46fe309bb34cbc71d5a457fdd765
SHA1 hash: 2c113263ab3ae8a9d8cc8fd717f2eefa98c6a65a
MD5 hash: 38a00ca13354ab0a81921c70f57003b1
humanhash: johnny-mississippi-idaho-three
File name:6605701.xls .exe
Download: download sample
Signature Formbook
Create hunting rule
File size:556'544 bytes
First seen:2020-08-13 06:56:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:wWCJxJEJE/qo8Bf05v0Pug7FtdihesnO5A6/939tnPfC11j5RAo+:Q0J6OcpFoFHihS1VzCHVRA/
Threatray 2'309 similar samples on MalwareBazaar
TLSH 7DC408FA344F8121C0A57CB0DC66DAC96F3C6B15F602522DF6D9237839E536A73094EA
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: server.kharafiglobal.com
Sending IP: 64.50.172.143
From: Bich Dao <bich.dao628@gmail.com>
Reply-To: sallykroff@gmail.com
Subject: Oriental Fastech New Inquiry
Attachment: 6605701.IMG (contains "6605701.xls .exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44902/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/425281
Signature
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265197 Sample: .exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 80 39 Malicious sample detected (through community Yara rule) 2->39 41 Yara detected FormBook 2->41 43 Tries to detect virtualization through RDTSC time measurements 2->43 8        .exe 9 2->8         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 31 C:\Users\user\AppData\Local\smgjy.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->33 dropped 35 C:\Users\user\...\smgjy.exe:Zone.Identifier, ASCII 8->35 dropped 37 C:\Users\user\AppData\Local\Temp\...\l.dll, PE32 8->37 dropped 15 smgjy.exe 2 8->15         started        18 cmd.exe 1 8->18         started        20 smgjy.exe 3 11->20         started        process5 signatures6 51 Writes to foreign memory regions 15->51 53 Allocates memory in foreign processes 15->53 55 Injects a PE file into a foreign processes 15->55 22 AddInProcess32.exe 15->22         started        25 reg.exe 1 1 18->25         started        27 conhost.exe 18->27         started        57 Tries to detect virtualization through RDTSC time measurements 20->57 process7 signatures8 45 Maps a DLL or memory area into another process 22->45 47 Tries to detect virtualization through RDTSC time measurements 22->47 29 explorer.exe 22->29 injected 49 Creates an autostart registry key pointing to binary in C:\Windows 25->49 process9
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 06:58:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkx3ds6kzn32ulfjttcvydrvgzzyifjit5j4ji5fpwnzzqeo4wvq._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
Formbook
5dd54174543f8e681162c6c8462209da761db5e2ccb38cb8408ef0232956b3ce
Formbook
885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683
Formbook
923909fa41e21d68dbc11443fe31cf99d2792014767e276dd9aa7289a78afa06
Formbook
a7d27c9cca035fac67dadf420c7adcfb2b196b4f2db64d94e13ddb6a9ea1c46a
Formbook
b152c155460d293eee7224b2a49e1121fb19df274c5b2728e9571afaff1845c6
Formbook
bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
Formbook
c2af32087beb20ac52dd19d5cd1f2a389bb58e424790a0c820dd450cf0c48847
Formbook
d5231355835fc25fb6f9923639331084ff0ae602929793c263e01eda38d2fa1b
Formbook
df50adbb821e5dd2d36e35cb6d2ec32b7b523bd27803cde87c6c66350580c574
Formbook
+ 2'299 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
agilenet rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200813-2vdppdpqn2/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mage-cart.info/u4xn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 04a58bdfe3ed37495f899da8be2ad6de9666c5b195f4386afac655e5b0523488

Formbook

Executable exe 62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab

(this sample)

  
Dropped by
MD5 07a19fd3fe171a693be8badbc8e28356
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44902/
  
Dropped by
SHA256 04a58bdfe3ed37495f899da8be2ad6de9666c5b195f4386afac655e5b0523488

Comments