MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4
SHA3-384 hash: b0a81e9039a447cb2dc6f8ca5cd259939eec362cbb34e6fb5fe058353d988eb90e0ac8e5a98f29f7d00799c71fc00b96
SHA1 hash: 19f15ca7fa694c0397c3ec2a8eb0fad869c50774
MD5 hash: aefb311702d85f433019a505252246ef
humanhash: massachusetts-nineteen-west-august
File name:ALFA.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:823'808 bytes
First seen:2020-07-21 09:31:59 UTC
Last seen:2020-07-21 11:24:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:CMUJBc7nX4UhUCtpkdzdKzLSwghER4urGNwZcP1L8HFcf:CMUWptphSlurKwZQ5iFc
Threatray 5'218 similar samples on MalwareBazaar
TLSH BA059E553502DD42C2F61276C8DF845447BCAC82697AD78A3B5B33EA25217E3EC0A6CF
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.megatroncorp.community
Sending IP: 162.241.205.158
From: Hernán F. Lozano <server@huttprimax.partners>
Reply-To: alfa@qualityservice.com
Subject: ALFA // INVESTIGACIÓN // 20.7.2020
Attachment: ALFA INVESTIGACIN.zip (contains "ALFA.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30001/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43525079.8399.3125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392926
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248813 Sample: ALFA.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 38 www.ashoksoota.com 2->38 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected FormBook 2->50 52 2 other signatures 2->52 11 ALFA.exe 3 2->11         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...\ALFA.exe.log, ASCII 11->36 dropped 64 Tries to detect virtualization through RDTSC time measurements 11->64 66 Injects a PE file into a foreign processes 11->66 15 ALFA.exe 11->15         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 Queues an APC in another process (thread injection) 15->74 18 explorer.exe 15->18 injected process9 dnsIp10 40 jointventurementors.com 34.102.136.180, 49716, 80 GOOGLEUS United States 18->40 42 www.jointventurementors.com 18->42 44 2 other IPs or domains 18->44 54 System process connects to network (likely due to code injection or exploit) 18->54 22 wlanext.exe 1 18 18->22         started        signatures11 process12 file13 30 C:\Users\user\AppData\...\946logrv.ini, data 22->30 dropped 32 C:\Users\user\AppData\...\946logri.ini, data 22->32 dropped 34 C:\Users\user\AppData\...\946logrf.ini, data 22->34 dropped 56 Detected FormBook malware 22->56 58 Tries to steal Mail credentials (via file access) 22->58 60 Tries to harvest and steal browser information (history, passwords, etc) 22->60 62 3 other signatures 22->62 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4/
Threat name:
ByteCode-MSIL.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 09:33:04 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n56ovwynf7wwwhd75u7uphnnlihg5ejghlu7wdk5s64bdqp3sdca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17b9dd3669aff525587ad15ad1a5232c766e18791cf4c3fe49cb783f7e75ea2f
FormBook
2059f1585290ca102aa23d8d92f479a4c0940f1a8957b5226e4c36b9b115c7c5
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
7ba24a9faa6235568bd8c2fdf37df1edde77382e5eabedbe1854bcf8e30745a1
FormBook
a09022457c7802a48a3f2ef32b8008da65fb4b28b43c8e6ac37c44f0a3ecc028
FormBook
ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671
FormBook
b45fb97506ddaaddd21207b75f9a877fd65fedc6324fc10a7d16381bdef232a1
FormBook
b73caeffe98a9035eefe1465bf9c883f306372f8b4ca2d18973fc18277781363
FormBook
cd4983261b9d093fb2a63ff9fa199aa44fae617a7a0e74b80d986d3c663a4c97
FormBook
+ 5'208 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200721-sg1msx8s8j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Deletes itself
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 3f15baea68e9d4b4d0ef91631609efee3a6716419d7f81d8799a908180cbf447

FormBook

Executable exe 6f7ceadb0d2fed6b1c7fed3f479dad5a0e6e91263ae9fb0d5d97b811c1fb90c4

(this sample)

  
Dropped by
MD5 c00f10a37ae4a74aa20b4687972348ad
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30001/
  
Dropped by
SHA256 3f15baea68e9d4b4d0ef91631609efee3a6716419d7f81d8799a908180cbf447

Comments