MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654
SHA3-384 hash: 13e7433a89b82aeceb32d532e983bd9221eb64d3a4ccef2b5dba9b770eb9519db6e94c05e73e6bbca006bc8e84739e5b
SHA1 hash: 6b525444600f4812664ea0758b1051ed1c9e9564
MD5 hash: 63c8d07d3fc0f5efba1f97e7ee155bae
humanhash: timing-crazy-pizza-ink
File name:63c8d07d3fc0f5efba1f97e7ee155bae.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:1'182'888 bytes
First seen:2020-07-22 10:05:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ae24b9fc48ef5fc0c22ba69d0332eeb (3 x ModiLoader, 1 x FormBook)
ssdeep 12288:jMFy8cZqYS3DOPw6fk5t3GdljR8cQ0vLLvUtKjgVoLbZElxOpVDe6BmurUWTNrzP:jgyrST8YCB8cQIbcMbQKT/fMV
Threatray 5'118 similar samples on MalwareBazaar
TLSH 91459D32E16A947FE7EF8DB5AC77B1F46916BE016A30B54366F83C4C6D3D940202A316
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31069/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Possible injection to a system process
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394891
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249845 Sample: 2gta75tE2b.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 6 other signatures 2->85 10 2gta75tE2b.exe 1 2 2->10         started        process3 dnsIp4 67 speedfinance-cloud.gleeze.com 185.241.195.199, 49723, 49725, 49727 NETALISFR Russian Federation 10->67 53 C:\Users\user\fmvsecr.exe, PE32 10->53 dropped 103 Drops PE files to the user root directory 10->103 105 Writes to foreign memory regions 10->105 107 Injects a PE file into a foreign processes 10->107 15 ieinstal.exe 10->15         started        file5 signatures6 process7 signatures8 109 Modifies the context of a thread in another process (thread injection) 15->109 111 Maps a DLL or memory area into another process 15->111 113 Sample uses process hollowing technique 15->113 115 Queues an APC in another process (thread injection) 15->115 18 explorer.exe 7 15->18 injected process9 dnsIp10 57 www.retirewithequis.com 18->57 59 www.justdoyu.com 18->59 61 www.752cag.info 18->61 21 ipconfig.exe 19 18->21         started        25 mshta.exe 19 18->25         started        27 systray.exe 18->27         started        29 mshta.exe 19 18->29         started        process11 file12 47 C:\Users\user\AppData\...4760logrv.ini, data 21->47 dropped 49 C:\Users\user\AppData\...4960logri.ini, data 21->49 dropped 51 C:\Users\user\AppData\...5160logrf.ini, data 21->51 dropped 87 Detected FormBook malware 21->87 89 Tries to steal Mail credentials (via file access) 21->89 91 Tries to harvest and steal browser information (history, passwords, etc) 21->91 95 2 other signatures 21->95 31 cmd.exe 2 21->31         started        35 fmvsecr.exe 25->35         started        93 Tries to detect virtualization through RDTSC time measurements 27->93 38 fmvsecr.exe 29->38         started        signatures13 process14 dnsIp15 55 C:\Users\user\AppData\Local\Temp\DB1, SQLite 31->55 dropped 69 Tries to harvest and steal browser information (history, passwords, etc) 31->69 40 conhost.exe 31->40         started        63 speedfinance-cloud.gleeze.com 35->63 71 Multi AV Scanner detection for dropped file 35->71 73 Machine Learning detection for dropped file 35->73 75 Writes to foreign memory regions 35->75 77 Injects a PE file into a foreign processes 35->77 42 ieinstal.exe 35->42         started        65 speedfinance-cloud.gleeze.com 38->65 45 ieinstal.exe 38->45         started        file16 signatures17 process18 signatures19 97 Modifies the context of a thread in another process (thread injection) 42->97 99 Maps a DLL or memory area into another process 42->99 101 Sample uses process hollowing technique 42->101
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 10:07:06 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfu4io42mihqr36kmmmhxzyd5rtflx5kmfujk2scrtrieh7wozka._file
Verdict:
malicious
Similar samples:
1b3a9b2b91e235e345e7ed4e944e219133eed160548fb27594e9493ad71785a6
FormBook
3ceb6064faccd6e14f29b29580731e0239928c13f5ee8d942fa743530b2ed73b
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
FormBook
aa7cc20a00c3eeaeeaf4ddf79ea3dd717320050777ce67afe196afc443c0ac60
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
e98e20e7f6ca6411a6da4193276bd5e1a58602f761f2d3b33281e88dd411d9c7
FormBook
+ 5'108 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200722-591b4lbr92/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_dbatloader_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

FormBook

Executable exe 8969c43b9a620f08efca63187be703ec6655dfaa6168956a428ce2821ff67654

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/415176/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/31069/

Comments