MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 854146ab0835f912d31018649e0f97ebde7a2267ec1085a36bc0dc73f5b6f2a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	854146ab0835f912d31018649e0f97ebde7a2267ec1085a36bc0dc73f5b6f2a9
SHA3-384 hash:	9ee8cfb83b00aef3b947a7641102c40a64692efa9c1ec02945ebf6a38736688aa60175ca6a2807318ad6a86f64d01140
SHA1 hash:	44df6d89c790acc64db8d3d52b7afc087721610a
MD5 hash:	ece61073ffcd0bc9eb59f719165cfe1b
humanhash:	zulu-gee-eight-burger
File name:	PO_3700406082020 PDF.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	463'872 bytes
First seen:	2020-08-06 06:53:47 UTC
Last seen:	2020-08-12 14:23:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:Rqsle0zz4lWYC1c+mNCKYmdwh63xB0Hfplij6iPl:Le04oh1c+mNCKYID3xB0/zij6iPl
Threatray	4'949 similar samples on MalwareBazaar
TLSH	43A4E0441A984B22DB3C4BFB4264993547B19F2F6C22E3685FD631EB097DBF40640ADB
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

From: Sidheshwar Vishwakarma <sidheshwar.vishwakarma@tatasteel.com>
Subject: Puurchse Order of August
Attachment: PO_3700406082020 PDF.r00 (contains "PO_3700406082020 PDF.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/40202/

Detection(s):

Sanesecurity.Rogue.0hr.20200806-0604.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Launching cmd.exe command interpreter

Setting browser functions hooks

Unauthorized injection to a system process

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/412347

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/854146ab0835f912d31018649e0f97ebde7a2267ec1085a36bc0dc73f5b6f2a9/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-06 03:40:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qvaunkyigx4rfuyqdbsj4d4x5pphuith5qiili3lydohh5nw6kuq._file

Verdict:

malicious

FormBook

66a51591c6b5e01a8aa9f8db61e81d2508b3a6535d7c7a53c501f35093b28fa4

FormBook

6ff25388a91cbed0a11467e592e39e34c54de49d61876a2a201554e67c5b8cb4

FormBook

7bee02185a682294214d68a1c41ed3e0ebc53b275b200fd8b4a03fc92e1c463a

FormBook

8fa9dd16bb791bea50566208c8b216acc3c41e5c65495f34c3dcf99c595fccc8

FormBook

d6cfa16240c572c1d310d0e3f9a3a48254103dbfdaf47d08b31bd255a6022d50

FormBook

db31ede125999d44d9c886d76eb8d5c5ee280f17130e3e3138bf1f76935d1b99

FormBook

dda62be10b5d6c904c056f244d721e7dfc5bd60d033992a4763fb1105e0c334f

FormBook

ec34c3db0d2c865486e52760c0d35dab95adcb3544f2e03f5023495d112d64ba

FormBook

f3a30108ab40b7f31ad7ad191bb41bd3ad148d09597705c1ec0bc0352d18c29e

FormBook

+ 4'939 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

rat evasion trojan persistence spyware stealer family:formbook

Link:

https://tria.ge/reports/200806-f34k5ljrzj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Reads user/profile data of web browsers

Adds policy Run key to start application

Formbook Payload

Formbook

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/854146ab0835/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/854146ab0835f912d31018649e0f97ebde7a2267ec1085a36bc0dc73f5b6f2a9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

r00 01f9a6fdf5312900249d3500f0b0e064ffecb43d7686fa0add2d1f602f4f0402

FormBook

exe 854146ab0835f912d31018649e0f97ebde7a2267ec1085a36bc0dc73f5b6f2a9

(this sample)

Dropped by

MD5 5b57c73b3016bc02ac226ffebbf9e832

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/40202/

Dropped by

SHA256 01f9a6fdf5312900249d3500f0b0e064ffecb43d7686fa0add2d1f602f4f0402

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample