MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65
SHA3-384 hash: fbb45d1739ddb21746f53113605de0053f77b042e08e136f1b65bcf2eea9adddb96010d77fbba85faa92b606f94cd229
SHA1 hash: bb4984f3c1f8780069ec094b93668e9c45d65187
MD5 hash: 2209b47aae001d2bd001bfdefc337f68
humanhash: princess-ink-pizza-carpet
File name:yeni sipariş.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:736'768 bytes
First seen:2020-07-20 07:42:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:8u4pR1q9I6/kldSCGDyG7kPJM+P3gwntod+ik4g8y3SoD:8uAROPWGIPJM+PwwnTrEloD
Threatray 2'453 similar samples on MalwareBazaar
TLSH 31F4E0C9AAA05400D6ED2FF95E62DA744331BD09F1F2D30F1BC4AC9B297A793D858352
Reporter abuse_ch
Tags:exe FormBook geo TUR


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: host2.himbimarket.com
Sending IP: 72.52.244.66
From: Sevil Gunaydin <info@hmshetamak.com>
Subject: Re: Re: AW: AW: yeni sipariş sorgulama
Attachment: yeni sipariş.zip (contains "yeni sipariş.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28575/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.1480.17924.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390989
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247621 Sample: yeni sipari#U015f.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 62 www.freepartmanual.com 2->62 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 9 other signatures 2->78 11 yeni sipari#U015f.exe 5 2->11         started        signatures3 process4 file5 54 C:\Users\user\AppData\...behaviorgraphxWnILgHDUGmOF.exe, PE32 11->54 dropped 56 C:\...behaviorgraphxWnILgHDUGmOF.exe:Zone.Identifier, ASCII 11->56 dropped 58 C:\Users\user\AppData\Local\...\tmpE37B.tmp, XML 11->58 dropped 60 C:\Users\user\...\yeni sipari#U015f.exe.log, ASCII 11->60 dropped 14 RegSvcs.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 92 Modifies the context of a thread in another process (thread injection) 14->92 94 Maps a DLL or memory area into another process 14->94 96 Sample uses process hollowing technique 14->96 98 2 other signatures 14->98 19 explorer.exe 1 6 14->19 injected 24 conhost.exe 17->24         started        process8 dnsIp9 64 ghs.googlehosted.com 172.217.16.211, 49722, 80 GOOGLEUS United States 19->64 66 www.theballerinashoecompany.com 19->66 68 2 other IPs or domains 19->68 46 C:\Users\user\AppData\Local\...\6lernu.exe, PE32 19->46 dropped 80 System process connects to network (likely due to code injection or exploit) 19->80 82 Benign windows process drops PE files 19->82 26 svchost.exe 1 19 19->26         started        30 6lernu.exe 2 19->30         started        file10 signatures11 process12 file13 48 C:\Users\user\AppData\...48KRlogrv.ini, data 26->48 dropped 50 C:\Users\user\AppData\...50KRlogri.ini, data 26->50 dropped 52 C:\Users\user\AppData\...52KRlogrf.ini, data 26->52 dropped 84 Detected FormBook malware 26->84 86 Tries to steal Mail credentials (via file access) 26->86 88 Tries to harvest and steal browser information (history, passwords, etc) 26->88 90 3 other signatures 26->90 32 cmd.exe 2 26->32         started        36 cmd.exe 1 26->36         started        38 conhost.exe 30->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 70 Tries to harvest and steal browser information (history, passwords, etc) 32->70 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:43:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtuqbyqx6j7i62mxdbrdypbnzr57sezx74h7sh6funs2nd6xxjsq._file
Verdict:
malicious
Similar samples:
0d59116557f0c4cf0f52239edbc0a9569489279bbe45a690597d9dd8a2401886
FormBook
163065b27e36ce19e815d862a46534b6b7a048be46562ae48c3811fb35fa3338
FormBook
16de0aa2d02fae6460bb173c9104df4fa758343ab226aea79a3910dce19fa58e
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
9c0d3c463792d704909de3a04cd7a6d31f8094301e8e24950af31cdc5e9f2838
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
b7a360cf2a3651e663b82407d8aa940f66b4c7f9569fc445771d8bc17f727bef
FormBook
ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e
FormBook
+ 2'443 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-f8s6wjsvqx/
Behaviour
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
System policy modification
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Adds policy Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip f466700a7f45a812f832c3d869bd6453aef3a292f3e2cccc39b18e20a3e05203

FormBook

Executable exe ace900e217f27e8f699718623c3c2dcc7bf91337ff0ff91fc5a365a68fd7ba65

(this sample)

  
Dropped by
MD5 197120fbf7a74115cccd479fda8ea4ab
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28575/
  
Dropped by
SHA256 f466700a7f45a812f832c3d869bd6453aef3a292f3e2cccc39b18e20a3e05203

Comments