MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a
SHA3-384 hash: 85fae2504eb7266f2216fa538399fc9ae87e0452f7bc289c459cdb7bb6338ea6f56e7836655d4d4f5f5517ffc7cffdc3
SHA1 hash: c537887b0dc33a5adb58e31235d0f7d9923718e7
MD5 hash: b6e573a5d3a6bb9f7ceb592d13a9fd92
humanhash: comet-artist-hotel-virginia
File name:TRF Bank info for Confirmation.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:852'480 bytes
First seen:2020-10-06 06:08:19 UTC
Last seen:2020-10-06 11:05:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wyEubTel0nqR/ff8FE//JSl7fJ5qqKUujiqebet3kjlOmHUmbIm5OUPSeJRKKtne:HbQ0nE/f//JSlfX+UAxZ3kjXU
Threatray 2'346 similar samples on MalwareBazaar
TLSH 8F057CAD36507ADEC957CD3ACA545C20EA3079A7930BD203A01715EDAE4DA97EF102F3
Reporter abuse_ch
Tags:exe FormBook HSBC


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host.kroser.com.uy
Sending IP: 162.211.86.3
From: HSBC <TJanuji@Hsbc.com>
Subject: Re:Account Payable TRF103_0092020
Attachment: TRF Bank info for Confirmation.iso (contains "TRF Bank info for Confirmation.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68448/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482387
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293637 Sample: TRF Bank info for Confirmat... Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 TRF Bank info for Confirmation.exe 3 2->10         started        process3 file4 28 C:\...\TRF Bank info for Confirmation.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 TRF Bank info for Confirmation.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.leo978.com 104.31.74.52, 49732, 80 CLOUDFLARENETUS United States 17->30 32 www.snjeuejdjdn.com 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 svchost.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 03:53:30 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2ew5ztmem5sbwacw3dcag3e74g7vljq6pljjbbpdv6v2x243m5a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
06e0e3da562a627b84f328a76d70b62326e2b5a82fd28bf943b6d3dfd1f26cb7
Formbook
0cbc16717ef6c0d7e1d8ac2abba091925aec1b77db20cbff97407fcd5288736b
Formbook
567501cea05864d3014fb29cd4d74eb3e18dfdfb73f0669f5c0592fc73779afc
Formbook
5f657de9b0eaeb9eabf6d18a202f7b8c7daafd71d03387366069fe9ebd5f282a
Formbook
9465c69c18144431c36b77e4b36534684c7717f1d9970eb522b8aef716dd2458
Formbook
d1176c3c4ab396d3bad7dd15c881fdb4e38922e9f7e539dc1035768f366edcf9
Formbook
de55a1b3e711c74c00998d9c4cb0f5da9672b109e2f362ac55f4a9f4033ffbf7
Formbook
e04b0836667f55bcc1778c62761c99af52cb5c42c14cef3962531512def2944b
Formbook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
Formbook
f3250b1ac9470b18b44d8c6591c22797a187c1aa02b364583eed5acb255f0328
Formbook
+ 2'336 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201006-exjz9wla4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.waiftx.com/tmc8/
Unpacked files
SH256 hash:
7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a
MD5 hash:
b6e573a5d3a6bb9f7ceb592d13a9fd92
SHA1 hash:
c537887b0dc33a5adb58e31235d0f7d9923718e7
Link:
https://www.unpac.me/results/a57f1046-b193-44b3-ac77-63f170ad2789/
SH256 hash:
e8904ef697b97d46551353e9618f513b4a0b6558ef4d1881dc56b725db086b49
MD5 hash:
f1a3fb29df4d4b41466835147050090b
SHA1 hash:
6c29f60144696fd0f1a4c51fb09b7db56ea4f517
Link:
https://www.unpac.me/results/a57f1046-b193-44b3-ac77-63f170ad2789/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/a57f1046-b193-44b3-ac77-63f170ad2789/
SH256 hash:
d675b6cd32c5549826884041cf1a318af9110d0587dd845bb8c952854411670c
MD5 hash:
fcd70d5ed52399df3a1a80417b2155c4
SHA1 hash:
7e44f38c372a00c887d0dbbccfa8c04a733311dd
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a57f1046-b193-44b3-ac77-63f170ad2789/
Parent samples :
7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a
1ebd02f5868d1d9320e811ab81f392e6b2e4d8c9daf8e4d3b254d7aa054db784
c19dda3e71d3e8166c0d106f10eb9fc58036286e50c0cd31dd4efd8a1bc82e7e
6eb2ce986b19563b33a0c241aa33feb4e12ad3427ee3dbfb99f530dba3d8dea7
be68a437bfdced2711715965531cd0951f433f2c689b09bf265fc6e1b9c1c8e8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

iso 61d68432601ca2a7f8fcd21011419f4e4208f842c3c7c5ecd23066522ddc1713

Formbook

Executable exe 7e896ee66c233b20d802b6c6201b64ff0dfaad30f3d694842f1d7d5d5f5cdb3a

(this sample)

  
Dropped by
MD5 2d4ed8694b5e3a602198c1192f6d4387
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68448/
  
Dropped by
SHA256 61d68432601ca2a7f8fcd21011419f4e4208f842c3c7c5ecd23066522ddc1713
  
URLhaus
https://urlhaus.abuse.ch/url/658570/

Comments