MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f
SHA3-384 hash: 79218d63bfeb6644d9269eb30c8c35b62a76a475fa79cb303503e2557bc5fdfd24e66f8e45b79eeafae7b42de2304369
SHA1 hash: b2a15802c1c3da33fab883629a9ad38290fa321f
MD5 hash: b173e31f4ff38cafc13cc4092f5c19fb
humanhash: illinois-carbon-yankee-harry
File name:Medical supplies Order - FARAM.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:636'928 bytes
First seen:2020-08-31 08:46:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:uSsveLpKNNJqq9JQnJ8gy9uUQ6PrGUMJSyH8wCFYzS9XladpqgA+:FKcq9JZgIQ6PrGeLYzS9Xla7q
Threatray 4'198 similar samples on MalwareBazaar
TLSH 9ED4BF69030CAF2FC818B5BE645040DCD1F19B80EA38F5C8FDA730E559C569EA76E6C6
Reporter abuse_ch
Tags:Endurance exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 162-241-214-233.unifiedlayer.com
Sending IP: 162.241.214.233
From: Customer Service <customerservice@faram-ea.com>
Subject: FARAM - Kenya Medical Supplies Order
Attachment: Medical supplies Order - FARAM.gz (contains "Medical supplies Order - FARAM.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53318/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455048
Signature
Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279899 Sample: Medical supplies Order - FA... Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 7 other signatures 2->49 10 Medical supplies Order - FARAM.exe 3 2->10         started        process3 file4 35 C:\...\Medical supplies Order - FARAM.exe.log, ASCII 10->35 dropped 61 Injects a PE file into a foreign processes 10->61 14 Medical supplies Order - FARAM.exe 10->14         started        17 Medical supplies Order - FARAM.exe 10->17         started        signatures5 process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 Queues an APC in another process (thread injection) 14->69 19 explorer.exe 14->19 injected process8 dnsIp9 37 www.oakhippo.com 19->37 39 www.kj1one.loan 19->39 41 2 other IPs or domains 19->41 51 System process connects to network (likely due to code injection or exploit) 19->51 23 wlanext.exe 1 17 19->23         started        signatures10 process11 file12 31 C:\Users\user\AppData\...\952logrv.ini, data 23->31 dropped 33 C:\Users\user\AppData\...\952logri.ini, data 23->33 dropped 53 Detected FormBook malware 23->53 55 Tries to steal Mail credentials (via file access) 23->55 57 Tries to harvest and steal browser information (history, passwords, etc) 23->57 59 3 other signatures 23->59 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 02:19:21 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xca6kjtdxifuv4bj6gc5b74lc3d6o7zfhx4quse6i23h4rgdyihq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
12cb6d99b66fe413685b633d1238a5695aa8dc77489bb8ab23f8dd15012a0653
Formbook
165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
Formbook
22f4207de77f987b6791843539e25e05ff3f6c010e805330210399e23c323b87
Formbook
51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501
Formbook
5767bcddaf9404e411f25e457d8af27eeefa15515f415e901b6e7412708e5209
Formbook
8509ca4c5f81525eb6f300294703c9c66af0369374bc064ac024c9dae62c7092
Formbook
89a226afd800c763daf6097a05275bb5e100b168e8c3fa46a73807075dcec45c
Formbook
c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf
Formbook
ca3ab25a8c3213aa08113b09cc4b60df1d2c440aeb0e02c1e3bd192a57f86208
Formbook
d6330004986cb2968200bad58cb3f1135e2383d9bdf6894feff0f28f952f4c2b
Formbook
+ 4'188 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200831-vckqtq32a2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.domaky.com/a0u/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 8905a22150c6b1994c150a19b1f2f2197c226b055aff041efbe40ab586f9cd8f

Formbook

Executable exe b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f

(this sample)

  
Dropped by
MD5 bd38d0fe93fd2e7ab726db2f92aa2f2f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53318/
  
Dropped by
SHA256 8905a22150c6b1994c150a19b1f2f2197c226b055aff041efbe40ab586f9cd8f

Comments