MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e7fc8b6366c4240285db7831d6fd712e27f8be4f83c757e77b60b01a7744624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e7fc8b6366c4240285db7831d6fd712e27f8be4f83c757e77b60b01a7744624
SHA3-384 hash: 377e81e1d700e5c093342c6f216c43f0c5ec2ff3ea31ae39a4ee5ed883530dc53e8d14db2d8e09a9feb12dd68354f930
SHA1 hash: a9c5b27eb91fed7b3a859fb9316e4eea54d55a54
MD5 hash: 023103365cf12412cfe45f6c4a6d3028
humanhash: sink-winner-eleven-lion
File name:URGENT INQUIRY.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:301'056 bytes
First seen:2020-07-02 07:16:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:IJsLntYfCPEaVi/fwRzPOsCfyi8YdpmZ2OX5mLs:xntCCcfgm6i8YdpNOX5m
Threatray 5'112 similar samples on MalwareBazaar
TLSH 8554CF206BFC9214FDBE1B74EAB60244533379A96432D32E064D612E1FB7F858691773
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: node02.hostmailservice.de
Sending IP: 91.198.228.13
From: Jean-Paul Mochet <Jean-PaulMochet@franprix.com>
Subject: ***UNCHECKED*** RE:URGENT INQUIRY/QUOTE
Attachment: URGENT INQUIRY.rar (contains "URGENT INQUIRY.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18352/
Detection(s):
SecuriteInfo.com.Fareit-FVR023103365CF1.4152.UNOFFICIAL
Create hunting rule

Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/381381
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 242839 Sample: URGENT INQUIRY.exe Startdate: 02/07/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 4 other signatures 2->42 10 URGENT INQUIRY.exe 3 2->10         started        process3 file4 28 C:\Users\user\...\URGENT INQUIRY.exe.log, ASCII 10->28 dropped 52 Injects a PE file into a foreign processes 10->52 14 URGENT INQUIRY.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.musaenclave.com 66.96.145.128, 49736, 80 BIZLAND-SDUS United States 17->30 32 www.mobilgeeks.store 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 wlanext.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e7fc8b6366c4240285db7831d6fd712e27f8be4f83c757e77b60b01a7744624/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:18:07 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tz74rnrwnrbeakc5w6br236xclrh7c7e7a6hk7txwyfqdj3uiysa._file
Verdict:
malicious
Similar samples:
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
FormBook
4cc50598ab30ac06a20ce6a6a56deedb59ecb519a814ac791b194f49b63a7daa
FormBook
5e5d88343393a5a1f98a66c8e5967023e200dcf3be81bc0a3c210396156d0fea
FormBook
688ac9fd686d48bc6fec56f27e814c48d7849f548ef14d763dd446b61140c388
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
80e9eded592bf14b7597f9feaedb2899c1ce69ea74f588f02fdea70ced4539c6
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
FormBook
c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
FormBook
fefbb000b1c667271dde2ffd5f749a389388d2cbe60b710b86e86a3a47f3de9e
FormBook
+ 5'102 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200702-pzg6ve7g1e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Deletes itself
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar f3d130c73541b8ac605bd25452a2a01ac6d723e3af2dc73725dc8b24e62cc6ec

FormBook

Executable exe 9e7fc8b6366c4240285db7831d6fd712e27f8be4f83c757e77b60b01a7744624

(this sample)

  
Dropped by
MD5 d05064af40af32bcad6ab99eb5dd5ec3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f3d130c73541b8ac605bd25452a2a01ac6d723e3af2dc73725dc8b24e62cc6ec
Cape
Cape
https://www.capesandbox.com/analysis/18352/

Comments