MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 693e62c2a77f9a854abde4a76ff075601db591e2007d198225385fc63965b719. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 693e62c2a77f9a854abde4a76ff075601db591e2007d198225385fc63965b719
SHA3-384 hash: 57657b4f62a07e37997f8244644d5d1be76a04b5f2a87b3adf159423eda8ba2b1e0cfebf08c72d764fba2de8ea5ab0c8
SHA1 hash: eb2cac86dcdd4636bd5254b44ca0a084e6e1e439
MD5 hash: b35bc4320b51c52c0f3cb5abc7c87aa3
humanhash: december-emma-eleven-lamp
File name:PO20200060005 Alu Tube Of Jul 20 ALMET THAI.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:388'608 bytes
First seen:2020-07-06 08:15:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:XsK7S1G7i+n3HAApBz+HVlZhWd+00c4lk4y3EdUIKO6P9HpHg2KdHVDtw:5ugPn3VkZAd+lTy3y56FmlVx
Threatray 5'266 similar samples on MalwareBazaar
TLSH F984D0B606467EDAE37D1EB4D28522400EB81D2BD770C9597DC831C923B5B48EE7DA32
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: gmail.com
Sending IP: 107.173.40.221
From: Wanphen <sales@gmail.com>
Reply-To: ltbthuyposco@gmail.com
Subject: PO20200060005 Alu Tube Of Jul'20 // ALMET THAI
Attachment: PO20200060005 Alu Tube Of Jul 20 ALMET THAI.zip (contains "PO20200060005 Alu Tube Of Jul 20 ALMET THAI.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21346/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/693e62c2a77f9a854abde4a76ff075601db591e2007d198225385fc63965b719/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 01:27:30 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ne7gfqvhp6niksv54stw74dvmao3lepcab6rtarfhbp4molfw4mq._file
Verdict:
malicious
Similar samples:
1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919
Formbook
38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06
Formbook
54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed
Formbook
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
Formbook
9d545cae8b73e11800aaf794b2919bb8972511e4e217eaf1a51c3f38c17bb412
Formbook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
Formbook
b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4
Formbook
b84f164b86250eaee07153f4665af8826f0e934ba80e505ae37ead324f53b971
Formbook
cfa40c1b8552fd4db408ba6cc0d622c3fed256ca4e684e4277291332c45975fb
Formbook
fd77bda3f991235956974723013237b8dd8ed7f661dfad976d2fde68804c55a7
Formbook
+ 5'256 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200706-j4qqdt986n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 02a2259bffb76809ebddfc7402a4c3e0c2c1b99f644ed91226620d9c2f5eb4c8

Formbook

Executable exe 693e62c2a77f9a854abde4a76ff075601db591e2007d198225385fc63965b719

(this sample)

  
Dropped by
MD5 1e4619efbeeda1a9caf18f3900c48b1d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21346/
  
Dropped by
SHA256 02a2259bffb76809ebddfc7402a4c3e0c2c1b99f644ed91226620d9c2f5eb4c8

Comments