MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5
SHA3-384 hash: 333817ca6c61532f3df5ce391aa29e237fcf7ff2b6350e1086778092d4d1f9cde6724975cef2d3e94374bc9cf225aef5
SHA1 hash: 9e84cf35b6153505d5ef8cda5055ffcfd48f09d0
MD5 hash: e7da398ad3d594a064e219632ef4f603
humanhash: quiet-oranges-lake-single
File name:RRUY44091239.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:787'456 bytes
First seen:2020-10-23 11:40:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:kjLexns77+6PiYalwlYZO00p6hhXxRE105clLf:eFaH
Threatray 2'650 similar samples on MalwareBazaar
TLSH AFF4D93CADD5223756BBD6BACAF659CBF951754331126C0E90DB03860913BAB7EC201E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: srv20009.hosting.claranet.es
Sending IP: 92.54.18.66
From: administration <Fatiha.Benwakrim@maghrebail.ma>
Reply-To: Fatiha <info@asguler.com.tr>
Subject: Paiement facture
Attachment: Doc 849.zip (contains "RRUY44091239.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75034/
Detection(s):
SecuriteInfo.com.ArtemisE7DA398AD3D5.617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508081
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303161 Sample: RRUY44091239.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 7 other signatures 2->57 10 RRUY44091239.exe 1 2->10         started        process3 file4 41 C:\Users\user\...\RRUY44091239.exe.log, ASCII 10->41 dropped 69 Tries to detect virtualization through RDTSC time measurements 10->69 71 Injects a PE file into a foreign processes 10->71 14 RRUY44091239.exe 10->14         started        signatures5 process6 signatures7 75 Modifies the context of a thread in another process (thread injection) 14->75 77 Maps a DLL or memory area into another process 14->77 79 Sample uses process hollowing technique 14->79 81 Queues an APC in another process (thread injection) 14->81 17 explorer.exe 14->17 injected process8 dnsIp9 45 chainlinkwhitepaper.com 34.102.136.180, 49739, 49746, 49747 GOOGLEUS United States 17->45 47 www.direction.center 165.232.36.60, 49743, 49744, 49745 ALLEGHENYHEALTHNETWORKUS United States 17->47 49 3 other IPs or domains 17->49 59 System process connects to network (likely due to code injection or exploit) 17->59 21 msdt.exe 1 18 17->21         started        25 autofmt.exe 17->25         started        signatures10 process11 file12 37 C:\Users\user\AppData\...\27Mlogrv.ini, data 21->37 dropped 39 C:\Users\user\AppData\...\27Mlogri.ini, data 21->39 dropped 61 Detected FormBook malware 21->61 63 Creates an undocumented autostart registry key 21->63 65 Tries to steal Mail credentials (via file access) 21->65 67 4 other signatures 21->67 27 cmd.exe 2 21->27         started        31 cmd.exe 1 21->31         started        signatures13 process14 file15 43 C:\Users\user\AppData\Local\Temp\DB1, SQLite 27->43 dropped 73 Tries to harvest and steal browser information (history, passwords, etc) 27->73 33 conhost.exe 27->33         started        35 conhost.exe 31->35         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 11:03:23 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnk7n6sra4mnwikmyv4n6bkn4eyxpmq6wiazjod7s7chp76folkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
17de42648d49e21ed411c460fa0c805443e1898e21114beb8ea7301da3ee6b31
FormBook
4f90d42980450652ef19fe55ebea9e68683b4d29027900dcbeb5c26d298318fc
FormBook
54c0138d6a0dbd5967d7cf51eb753b29aa1fd72a85152285bd22347fa6654022
FormBook
60e0625b9dc6a06473b96fd2972c145e71120d7d6a106713c76d7be4ccf75478
FormBook
a4f595a974ae8b5dc406b75aebfb8f6d44ac822b14c8ba0619f0416a55be3986
FormBook
a59693f90c55791c544845b00cd4a8e6333d83cc83c8d8be42a7b028af4098e0
FormBook
b3423777b1bafbe661edd1f4d3d98e72fcb48394764ddeb57bb913b881cf9177
FormBook
c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40
FormBook
d5b7a34c6294b2505366e81e4bcaa48943ddc338a1f78ae8f990e3dcf413182a
FormBook
e5d8344ae7d9f2641a4e564d0e6e1a6494e216e6a5be0355eb45190e25d11f8f
FormBook
+ 2'640 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/201023-r7669tghj6/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Unpacked files
SH256 hash:
8ccc5bea909da076fd51c0ebe25984f75f8a2b1c44163d062460f5c8b365680f
MD5 hash:
eb725ec66d779202606255d11b511e1a
SHA1 hash:
c4a3e8c3ec3d7113c3addbe19c1789c393df8c7b
Link:
https://www.unpac.me/results/59ef564b-830a-4c0f-8c97-5425431d519c/
SH256 hash:
f51bdb4114c155f90eb9371d142021cc40e47f2cee488330850d25c5a51fea32
MD5 hash:
515e5d0db9ed2e199742df7353980be9
SHA1 hash:
e2fe4974cb922deb819022f9d94abfc360c4985c
Link:
https://www.unpac.me/results/59ef564b-830a-4c0f-8c97-5425431d519c/
SH256 hash:
794583cd3354fcb78c26dfaa63d7f5e35c5bc5699bc6db03b427016424ca26e4
MD5 hash:
069f92a9097ccf845d479b1aec615708
SHA1 hash:
45f2081dae744b5ea5b3d32b4543e68f1e2500a2
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/59ef564b-830a-4c0f-8c97-5425431d519c/
Parent samples :
a59693f90c55791c544845b00cd4a8e6333d83cc83c8d8be42a7b028af4098e0
60e0625b9dc6a06473b96fd2972c145e71120d7d6a106713c76d7be4ccf75478
7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5
c63da2dca25d6d1c17fcfd8041424f2232878b734072ab55f1c31a6fa083a9fa
cab05c453ff61226526341a1ff169339c019e61fd894bcd82aac8599ea61ca7a
6f463e4599313c87551cfc529feb1b20b5eccc8f4fd20f66fafe580140e109f9
55aebdda73f158c6b5d24ec671226540690112f2b412f073deb173b932c7f6c3
SH256 hash:
7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5
MD5 hash:
e7da398ad3d594a064e219632ef4f603
SHA1 hash:
9e84cf35b6153505d5ef8cda5055ffcfd48f09d0
Link:
https://www.unpac.me/results/59ef564b-830a-4c0f-8c97-5425431d519c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 8da1b6598e98a70f6e479a7a1f313285590efee38392f22d10c4dcf5f734272f

FormBook

Executable exe 7b55f6fa510718db214cc578df054de13177b21eb20194b87f97c477ffc572d5

(this sample)

  
Dropped by
MD5 452b898713c0ec3023916258a4244aea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8da1b6598e98a70f6e479a7a1f313285590efee38392f22d10c4dcf5f734272f
Cape
Cape
https://www.capesandbox.com/analysis/75034/

Comments