MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb8016149b1cfa77fa6614decb51d21b20385e2749f1b667ad0d51615c9baf05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb8016149b1cfa77fa6614decb51d21b20385e2749f1b667ad0d51615c9baf05
SHA3-384 hash: ff18bcc602c9f4d37597cffa640a349a5b252a98cc1128b24fe22f721135eb8c9e23b33104ce054124d95e9fb9559343
SHA1 hash: bd4db6b4d793dfc75ffc6344bf431a5965d00088
MD5 hash: f8980dd4c0f737f325d5a064e3c0cca9
humanhash: diet-angel-arizona-yellow
File name:Details101.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'051'136 bytes
First seen:2020-07-21 14:01:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e381c455fbb563ca5f2237e8dff94bd (4 x RemcosRAT, 2 x Formbook, 1 x NetWire)
ssdeep 24576:J0vtfbdNzTnlj/jllmyXNybwEIVKGfHNBJV2jjFP0Mh:J0v9f/NxEIVRfHfJV2nFP0M
Threatray 5'406 similar samples on MalwareBazaar
TLSH A6259E23F2A08D32D1331538DC535ABC966EBF153A25984D6AE6DF0C8F3918179393A7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.taxilenits.com
Sending IP: 45.95.170.150
From: Taxilenits Inc <info@taxilenits.com>
Subject: Purchase Price
Attachment: Details101.img (contains "Details101.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30178/
Detection(s):
SecuriteInfo.com.GenericRXAA-AAF8980DD4C0F7.11859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/393299
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249019 Sample: Details101.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected FormBook 2->54 56 3 other signatures 2->56 9 Details101.exe 1 3 2->9         started        process3 dnsIp4 38 cdn.discordapp.com 162.159.135.233, 443, 49734, 49737 CLOUDFLARENETUS United States 9->38 36 C:\Users\user\AppData\Local\...\Cdnsfck.exe, PE32 9->36 dropped 64 Modifies the context of a thread in another process (thread injection) 9->64 66 Maps a DLL or memory area into another process 9->66 68 Sample uses process hollowing technique 9->68 70 2 other signatures 9->70 14 explorer.exe 4 9->14 injected file5 signatures6 process7 dnsIp8 46 www.samzoy.men 14->46 48 www.quintessentiallykathy.com 14->48 17 mshta.exe 1 14->17         started        19 mshta.exe 19 14->19         started        21 wlanext.exe 14->21         started        24 2 other processes 14->24 process9 signatures10 26 Cdnsfck.exe 17->26         started        30 Cdnsfck.exe 19->30         started        58 Modifies the context of a thread in another process (thread injection) 21->58 60 Maps a DLL or memory area into another process 21->60 62 Tries to detect virtualization through RDTSC time measurements 21->62 32 cmd.exe 1 21->32         started        process11 dnsIp12 40 cdn.discordapp.com 26->40 72 Multi AV Scanner detection for dropped file 26->72 74 Machine Learning detection for dropped file 26->74 76 Modifies the context of a thread in another process (thread injection) 26->76 78 Tries to detect virtualization through RDTSC time measurements 26->78 42 162.159.129.233, 443, 49739 CLOUDFLARENETUS United States 30->42 44 cdn.discordapp.com 30->44 80 Maps a DLL or memory area into another process 30->80 82 Sample uses process hollowing technique 30->82 34 conhost.exe 32->34         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb8016149b1cfa77fa6614decb51d21b20385e2749f1b667ad0d51615c9baf05/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 14:03:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xoabmfe3dt5hp6tgctpmwuosdmqdqxrhjhy3mz5nbviwcxe3v4cq._file
Verdict:
malicious
Similar samples:
0e319c36c39c8504a0349445b2282bc450758b7e670a3477c0653b1daafffaff
Formbook
37812e3e7309cc0348c77208870cbeb44636a785dec26241fc6e392905edf91e
Formbook
42895dc552049d3cfd80ced83d8e2fbfc30adc3799e3748aa5f9e7df32373a58
Formbook
85774cdd3163c5e259dafdf67b113fd69fa8f4f9ebd964ee91b099bd2f58ebfd
Formbook
9ebbeaf380d12e97972f57de2e052f1e043370d0be0bcd0deb3ebc5334cc68a2
Formbook
a34a05f4fba031be97dcc4bb04e0e45a75d1034cd2d32177b26a65de7a1306a0
Formbook
a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
Formbook
b1ab330d8407adbc0731fd66b869bca53515ccf732d1ad498515e5e04f993de4
Formbook
da6fd7aeb4a04410109f9f170589fe5262a1922a7dabc5b7b26e0af00dcdaba3
Formbook
f6557b3412ca78e87ff38632aaf24732b74da646678fd6ea5f01134bb498fd14
Formbook
+ 5'396 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware persistence trojan stealer family:formbook
Link:
https://tria.ge/reports/200721-f5phj31n5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
System policy modification
Modifies Internet Explorer settings
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Gathers network information
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb8016149b1cfa77fa6614decb51d21b20385e2749f1b667ad0d51615c9baf05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 03138c12569d3a1e17d4b2b9ca9f849012ab75bcba12bcf51637b01f98da822a

Formbook

Executable exe bb8016149b1cfa77fa6614decb51d21b20385e2749f1b667ad0d51615c9baf05

(this sample)

  
Dropped by
MD5 1056784c1221cee6cfc60f07e974da03
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30178/
  
Dropped by
SHA256 03138c12569d3a1e17d4b2b9ca9f849012ab75bcba12bcf51637b01f98da822a

Comments