MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
SHA3-384 hash: 04f19e47fe818bf1548518ce5b56edc96c45774438ff42c8611de42d9b7c085b0aeebe7fea710d7b8616fc11cce8264f
SHA1 hash: d896eed6ed2dffaf9f7253b1642787b92e67f704
MD5 hash: 85d7d1da8b13db9c318edb8e0ef6edcd
humanhash: florida-five-delta-connecticut
File name:PO_82_4000002414_XLS.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:824'320 bytes
First seen:2020-10-12 06:21:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:vAOLPQXFuSL3DuSOYrPkjrV9jqd98+OXwUWT8oogIi1S01T:xLIXFukuSOfrqdLOyDj1R
Threatray 2'416 similar samples on MalwareBazaar
TLSH 7C05E02136A99F86E17E9BF90224505003F97E1B792EF60C2DC329EF5AB5F418610B77
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: cpshared6.tedata.net
Sending IP: 213.158.180.196
From: Doris Lin <nsi2@nissho.id>
Reply-To: nsi2@nissho.id
Subject: Re:Order confirmation/PO
Attachment: PO_82_4000002414_XLS.arj (contains "PO_82_4000002414_XLS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69966/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488055
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296488 Sample: PO_82_4000002414_XLS.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM_3 2->42 44 6 other signatures 2->44 10 PO_82_4000002414_XLS.exe 3 2->10         started        process3 file4 30 C:\Users\...\PO_82_4000002414_XLS.exe.log, ASCII 10->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 PO_82_4000002414_XLS.exe 10->14         started        17 PO_82_4000002414_XLS.exe 10->17         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 19 explorer.exe 14->19 injected process8 dnsIp9 32 davesmbit.com 216.158.66.242, 49760, 80 WEBNXUS United States 19->32 34 www.nc-tv.com 74.117.219.199, 49767, 80 DNC-HOLDINGS-INCUS Cayman Islands 19->34 36 2 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 23 colorcpl.exe 19->23         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 23->48 50 Maps a DLL or memory area into another process 23->50 52 Tries to detect virtualization through RDTSC time measurements 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 03:20:42 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozob45egv3p724bbvzprlsdoksohw6lkkassjf4b7hekmmt7ia3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
37fa0d1153831bdf8c08560d18a83afc2ccede848883819536eb81497c63229f
Formbook
4ba0d07d32c048141100317f95bd6dd8b791ba9c6608730b8408530490a13922
Formbook
a998850fc7940055baac6f61dde2d0e29836c9386ac87555549eeaa1a9998401
Formbook
d4014ac2689b47f11708425cad3d8aa02dd05ee6d6745006156dffbe0a27b4be
Formbook
d7d1d6057e7e731b75e1ba9579ccfe717334cc7b4f59324af1a0aa179db22e68
Formbook
da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
Formbook
db53a27c43dddb419e9d058e6288f3c1e7fc7e4bd62e3bb048e7103dcf79d682
Formbook
f397c24f2c684fdcd51dc9954c641d013437a78e24a5cf8c8778196a66a60372
Formbook
f4854fb409d136b74193144c50c888b36bbbbcde71b52acb5f8177a862ebd76c
Formbook
f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978
Formbook
+ 2'406 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201012-1qj5v6932a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mybriefbox.com/sdk/
Unpacked files
SH256 hash:
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
MD5 hash:
85d7d1da8b13db9c318edb8e0ef6edcd
SHA1 hash:
d896eed6ed2dffaf9f7253b1642787b92e67f704
Link:
https://www.unpac.me/results/69cb60e7-45c3-4f97-8ab1-845f429e88ce/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/69cb60e7-45c3-4f97-8ab1-845f429e88ce/
SH256 hash:
36ea1f9734dcb69e60be9c36c541819f09d1e5aa1af6787235d93e0bd8538ff1
MD5 hash:
826fcccb70d70196a844afd384f5b3e8
SHA1 hash:
9e0f2b2ec3e928addd457730a2890fc0ec7ca060
Link:
https://www.unpac.me/results/69cb60e7-45c3-4f97-8ab1-845f429e88ce/
SH256 hash:
d4acd33258b1d3ed7b0aee563686718cfe4e47fa16b002efdecd03b6eae7394b
MD5 hash:
88f7bb341e6d5f3c2a94fa5de3603371
SHA1 hash:
d3be8988a2bf621993bcd71ebf7ecf4e1d60799d
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/69cb60e7-45c3-4f97-8ab1-845f429e88ce/
Parent samples :
a998850fc7940055baac6f61dde2d0e29836c9386ac87555549eeaa1a9998401
765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037
af61853ca27001c0721463fce68bb033a9084e9fcd0c6ced3acd7fc3ea0e957a
d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
410b12d131a36c0b5be88c52e6ad02a1e50b20c4d80f30de42ea5a260fc92624
4e98a7f7084a5fa80d8e1dd45e8b8f8a1f9fc891d223cc265524cfcfe3c57c0b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip bea292579db974027857f30f2c2b7626785b8f0b1e7c332d23584af47db0e1b2

Formbook

Executable exe 765c1e7486aedffd7021ae5f15c86e549c7b796a5025249781f9c8a6327f4037

(this sample)

  
Dropped by
MD5 0c16ffddb930c1e8e8e97985385c2af5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69966/
  
Dropped by
SHA256 bea292579db974027857f30f2c2b7626785b8f0b1e7c332d23584af47db0e1b2

Comments