MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0
SHA3-384 hash: 8ec2329d37f7850750550a3a5fa0991d5f058622acdebdc8b1bbb55b02a11db5df505aa3caec31c5babc387531f64139
SHA1 hash: d37f7ae57a100458dc3cfad5cb3e6af26bad9edb
MD5 hash: 1f77c450081d0de69307a31715072f1f
humanhash: robin-connecticut-angel-maryland
File name:purchase order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:961'024 bytes
First seen:2020-08-04 09:24:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cKG8gctD8HOJrTGBuMq1V5p4wJ8hkdTq8WitngY/5/qcC0LIRi1L+56z9CL:cL8gm8H2GBuJVJZqy/qcCxRi9O6z8
Threatray 5'131 similar samples on MalwareBazaar
TLSH 1F155BC2F1449A51CC695F3A8D23DA9443737D6AEF47D70634C4BA2B78F34C29A26683
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: c03.ailesrv.net
Sending IP: 122.14.135.247
From: Bertsch Foodtec <deai@c03.ailesrv.net>
Reply-To: deai@c03.ailsv.net
Subject: URGENT seafood demand 340/090720
Attachment: purchase order.arj (contains "purchase order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38406/
Detection(s):
SecuriteInfo.com.Generic.mg.1f77c450081d0de6.15607.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408974
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256721 Sample: purchase order.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 33 www.galge.info 2->33 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected AntiVM_3 2->47 49 Yara detected FormBook 2->49 51 6 other signatures 2->51 10 purchase order.exe 3 2->10         started        signatures3 process4 file5 31 C:\Users\user\...\purchase order.exe.log, ASCII 10->31 dropped 53 Injects a PE file into a foreign processes 10->53 14 purchase order.exe 10->14         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Maps a DLL or memory area into another process 14->57 59 Sample uses process hollowing technique 14->59 61 Queues an APC in another process (thread injection) 14->61 17 svchost.exe 14->17         started        20 explorer.exe 14->20 injected 23 autochk.exe 14->23         started        25 autochk.exe 14->25         started        process9 dnsIp10 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Tries to detect virtualization through RDTSC time measurements 17->43 27 cmd.exe 1 17->27         started        35 www.mfix.ltd 20->35 37 www.jlap.ltd 20->37 signatures11 process12 process13 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 09:26:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjjiar5hza44vbhgmztaobp6wk6nuzakbvlinuddibsemf3phtaa._file
Verdict:
malicious
Similar samples:
07f7b852dc1cd3c5527fef6c09019b723a9e17ddc6b236c16e992784940b7a81
FormBook
11ed9b9e406c0dd0f8eebc68a84ed4790d73d051584206acce260627390ec049
FormBook
26f40af0e83d93213e01539affe12f208bdb65f2dd98223b1662c22eb4e243b5
FormBook
59793c1ac9d8537e06996b0a09f161deb98a77d527b0bc97b18e15972f120a2d
FormBook
70ecffff57ecd39682bc7de003d937b43d0b0c9bfaadd315d236627475608e54
FormBook
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
FormBook
aa75e63b890a713e629ed607eb77aceb60982bd0027a9189893c0ac63827f116
FormBook
b5cfea4c983458975c376cb9ff0ebd5feb4a426dc83c9db60264678a43eef6e9
FormBook
b8a70285a4c92a2f629bcb9f0beafccf5ac73e934e28401b970ad4ca6d8bc60b
FormBook
bf694824d6cbf6fba77ce087678b03ee8243a245b4b730eb55fb83e83b8dff8e
FormBook
+ 5'121 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200804-wygvamlen6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

arj a814cdb539ebad35f847a1eaa221cc9a008b4603da3585e9a0cb67af36d108f0

FormBook

Executable exe b2528047a7c839ca84e666660705feb2bcda640a0d5686d063406446176f3cc0

(this sample)

  
Dropped by
MD5 36b570f6919dfcf42ba17fca08d6e03c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a814cdb539ebad35f847a1eaa221cc9a008b4603da3585e9a0cb67af36d108f0
Cape
Cape
https://www.capesandbox.com/analysis/38406/

Comments