MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7
SHA3-384 hash: b1588c5ea30d9115d28b9337428eee132c254ad688980640b0aa46729835149db594ab1e17bc2dba70931c81065a38c7
SHA1 hash: 70853b116be889819d6b641da7037f7b4e12bdcf
MD5 hash: 6fa60edc407f4a3679860f8e3dce5d25
humanhash: maine-west-double-maine
File name:nel.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:394'240 bytes
First seen:2020-08-05 07:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:XTHW2w/XH67QicNdCIhYQ7PZDITYv8fjS:XjZi67QFE0YQzZ
Threatray 5'275 similar samples on MalwareBazaar
TLSH 0384F11D76A0A509F1B91E3F4C310183DE62F45FEE22D28B29B25279417E68CBD35F62
Reporter JAMESWT_WT
Tags:FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39102/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410389
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious names
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257439 Sample: nel.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected AntiVM_3 2->43 45 Yara detected FormBook 2->45 47 3 other signatures 2->47 10 nel.exe 1 2->10         started        process3 file4 33 C:\Users\user\AppData\Local\...\nel.exe.log, ASCII 10->33 dropped 59 Tries to detect virtualization through RDTSC time measurements 10->59 61 Injects a PE file into a foreign processes 10->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->63 14 nel.exe 10->14         started        signatures5 process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 17 explorer.exe 14->17 injected process8 dnsIp9 35 www.office421.com 91.195.240.13, 49746, 80 SEDO-ASDE Germany 17->35 37 www.mariotime.com 17->37 39 2 other IPs or domains 17->39 49 System process connects to network (likely due to code injection or exploit) 17->49 21 wscript.exe 1 17 17->21         started        signatures10 process11 file12 29 C:\Users\user\AppData\...\2MAlogrv.ini, data 21->29 dropped 31 C:\Users\user\AppData\...\2MAlogri.ini, data 21->31 dropped 51 Detected FormBook malware 21->51 53 Tries to steal Mail credentials (via file access) 21->53 55 Creates autostart registry keys with suspicious names 21->55 57 4 other signatures 21->57 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 06:19:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ree7i7m5xhdgvdxhwcgptwwrkupjaxkiw5xuyorkz6jgyjtvf3tq._file
Verdict:
malicious
Similar samples:
4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8
Formbook
54afdaff6d05973b7c58978614f80dac9060bca2ef2f0e1835fa05b80e3da626
Formbook
9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765
Formbook
9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef
Formbook
b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4
Formbook
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
Formbook
bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112
Formbook
da2466ff48f9de5fc946f2c90063f1deb996b01aa93950f51996e888fa93652d
Formbook
da418cd645143899691fa8b036073aaa5320a1d6c855699494f4b9b2419fb12e
Formbook
df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e
Formbook
+ 5'265 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200805-5gv83rcd5e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 8909f47d9db9c66a8ee7b08cf9dad1551e905d48b76f4c3a2acf926c26752ee7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/423741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/39102/

Comments