MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b
SHA3-384 hash: c26341c63a6e476794a235522f565a46bc25de240c3a0c74d6a8210c8ca4866f4a5abdb21b98acb9b4dd5964a64a2b2a
SHA1 hash: 77175726680e40eeefdad0578a1d3377486d9fff
MD5 hash: 863bf0dfa1169706f566c070a1e11256
humanhash: magnesium-delta-jersey-item
File name:DHL PACKAGE - PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:405'196 bytes
First seen:2020-09-16 05:57:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 12288:nanOzOlC9Am80quPgdBHh/FOPfe+VYRVORkG:lqltm80qigrHxFGVYbi
Threatray 2'307 similar samples on MalwareBazaar
TLSH 9E842241B361E497D2A603B059B54B2D5AE891153097AF0777C43F8E3D63AA2FD2D383
Reporter cocaman
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/61508/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/467503
Signature
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Detected FormBook malware
Hijacks the control flow in another process
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 286161 Sample: DHL PACKAGE - PDF.exe Startdate: 16/09/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 6 other signatures 2->70 11 DHL PACKAGE - PDF.exe 36 2->11         started        process3 file4 40 C:\Users\user\AppData\...\SitulaCystocele.dll, PE32 11->40 dropped 42 C:\Users\user\...\MicrosoftXslDebugProxy.exe, PE32 11->42 dropped 44 C:\Users\user\AppData\...\Vsa7Director.dll, PE32 11->44 dropped 46 4 other files (none is malicious) 11->46 dropped 14 rundll32.exe 11->14         started        process5 signatures6 82 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->82 84 Hijacks the control flow in another process 14->84 86 Maps a DLL or memory area into another process 14->86 17 cmd.exe 14->17         started        20 cmd.exe 14->20         started        process7 signatures8 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->54 56 Modifies the context of a thread in another process (thread injection) 17->56 58 Maps a DLL or memory area into another process 17->58 62 2 other signatures 17->62 22 explorer.exe 17->22 injected 60 Tries to detect virtualization through RDTSC time measurements 20->60 process9 dnsIp10 48 3rdimultimedia.com 160.153.136.3, 49739, 49740, 49741 GODADDY-AMSDE United States 22->48 50 shops.myshopify.com 23.227.38.64, 49738, 80 CLOUDFLARENETUS Canada 22->50 52 2 other IPs or domains 22->52 72 System process connects to network (likely due to code injection or exploit) 22->72 26 NETSTAT.EXE 1 17 22->26         started        30 autochk.exe 22->30         started        signatures11 process12 file13 36 C:\Users\user\AppData\...\597logrv.ini, data 26->36 dropped 38 C:\Users\user\AppData\...\597logri.ini, data 26->38 dropped 74 Detected FormBook malware 26->74 76 Creates an undocumented autostart registry key 26->76 78 Tries to steal Mail credentials (via file access) 26->78 80 4 other signatures 26->80 32 cmd.exe 1 26->32         started        signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b/
Threat name:
Win32.Spyware.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-09-15 10:52:52 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ueblmrh5cndxr4uocec6izc6qt7u2blionizsdpjblrhvcpqke5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
29247c960e16e376148704241453b7a008a62c050e9d11b2bba111452acb7fa3
FormBook
414578aa9e1ab74c43ae636f64758a5a2dd59ab81619aa054de1fb6c9140f2e6
FormBook
426a7d5241a207054d695ea06f8133260c2684c5598420954f0fde91a03fe059
FormBook
7a42a2ba28ab9ea27b4972e5a8f5c5c066663e3d6427812f0621208bef33ea10
FormBook
ad8c070c48103dbc11875a052aa0447395f6ddda11e3f9e8aed091f0bb14050d
FormBook
b0ae66cd2296539cdeb9f833ff7ebc3616cda6d8068d1883e27a04c9240d0d3f
FormBook
b1d9adc8ee80f24960fb84adbb029695e49763faecbf559f92410d44bf28b0d3
FormBook
d789a675b16eca7a3d78fffd03d6dfc18a396d6eac4da2472b99700ff1cb09c7
FormBook
db4aad17cb58975d3c42dc37b92e7c8bfdce82da52c5eb6a5e87709cf906a684
FormBook
e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
FormBook
+ 2'297 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200916-6fq5t9pn1e/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

ace ef911d4f6162d25b42b36bd71b99dd256565a68410c707ee29c40a01f3797036

FormBook

Executable exe a102b644fd134778f28e1105e4645e84ff4d05687351990de90ae27a89f0513b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ef911d4f6162d25b42b36bd71b99dd256565a68410c707ee29c40a01f3797036
Cape
Cape
https://www.capesandbox.com/analysis/61508/

Comments