MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37
SHA3-384 hash: 4012d22d03c10c7d95aca319b3466084c34604bd4e165b2ea0ed96036e2bd3ec1b926978ad9f1f835ca25867be5fab19
SHA1 hash: dbf1b38120dd815f96660ba1af0889a599e0fa11
MD5 hash: 4213a0c5f1cb2ef588cc1097c21a3461
humanhash: sodium-summer-seven-quebec
File name:comandă nouă.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:399'360 bytes
First seen:2020-08-05 08:34:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:GzpNNyuOy0KPoe4n6zJFSEuXvXLNC8BPzKXJh3D3vIVDZHOyBCcWY:Gz8Zyvwe66zJFSEQvXLNhBPzMh3Dryf
Threatray 5'116 similar samples on MalwareBazaar
TLSH 2584F00C72A0A50AF2BA0E3F9D340093DE22F45FDE26C74B5AB21578453E69CBD65F61
Reporter abuse_ch
Tags:exe FormBook geo ROU


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: profesionalesenriesgo.com
Sending IP: 50.115.112.102
From: Alexandra Stanciu <alexandra.stanciu@euroccoper.ro>
Subject: comandă nouă
Attachment: comandă nouă.zip (contains "comandă nouă.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39223/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410597
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257568 Sample: comand#U0103 nou#U0103.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 51 www.fex-tracks.com 2->51 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 Yara detected AntiVM_3 2->61 63 7 other signatures 2->63 11 comand#U0103 nou#U0103.exe 5 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\AQEsxrUdj.exe, PE32 11->39 dropped 41 C:\Users\...\AQEsxrUdj.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmp28B1.tmp, XML 11->43 dropped 45 C:\Users\...\comand#U0103 nou#U0103.exe.log, ASCII 11->45 dropped 69 Writes to foreign memory regions 11->69 71 Allocates memory in foreign processes 11->71 73 Injects a PE file into a foreign processes 11->73 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Sample uses process hollowing technique 15->87 89 Queues an APC in another process (thread injection) 15->89 22 explorer.exe 1 4 15->22 injected 91 Tries to detect virtualization through RDTSC time measurements 18->91 27 conhost.exe 20->27         started        process9 dnsIp10 53 www.pinechain.com 52.58.78.16, 49740, 80 AMAZON-02US United States 22->53 55 www.196wrf.info 22->55 37 C:\Users\user\AppData\...\ibjhs6d0or5.exe, PE32 22->37 dropped 65 System process connects to network (likely due to code injection or exploit) 22->65 67 Benign windows process drops PE files 22->67 29 wlanext.exe 1 17 22->29         started        file11 signatures12 process13 file14 47 C:\Users\user\AppData\...\46Alogrv.ini, data 29->47 dropped 49 C:\Users\user\AppData\...\46Alogri.ini, data 29->49 dropped 75 Detected FormBook malware 29->75 77 Tries to steal Mail credentials (via file access) 29->77 79 Tries to harvest and steal browser information (history, passwords, etc) 29->79 81 3 other signatures 29->81 33 cmd.exe 1 29->33         started        signatures15 process16 process17 35 conhost.exe 33->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 01:48:15 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwuz2j34q5rtwkvlcf66vm573vxzz3ynqilsezhwadt3hbmjfq3q._file
Verdict:
malicious
Similar samples:
050ff80d0d4a5da0122a6ccce484c5807c3efa8fa033f047abc0762750303991
FormBook
0c2e455f5983d94458f8222bda189794e9095460e0df8764d4bd4787fc217a52
FormBook
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
FormBook
28782ca0edd1fa079dfa6f81b89637256857d42a43460117a37d53ccd622bdbd
FormBook
30d3cf43f91eea8df889ee14337ca8067bc68521ff63184c679aac80b321bb75
FormBook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
FormBook
70fce2b9eb9360b8733c9b77032bb566399d7ed9c2fb99b0cf2c823e93485bd9
FormBook
8a10ba003c94b5e6576d10a0c4bd01cabef6d87e4811e96c1a028e2cde63f414
FormBook
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
FormBook
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
FormBook
+ 5'106 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200805-dpevan3dga/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a

FormBook

Executable exe 7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37

(this sample)

  
Dropped by
MD5 e3ad0c63ef186d3f865df7f93a81b125
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39223/
  
Dropped by
SHA256 3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a

Comments