MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be62fe48cc7e28c398424847ed5a73946fe0ae70f2af9980ffc68c57c2103550. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be62fe48cc7e28c398424847ed5a73946fe0ae70f2af9980ffc68c57c2103550
SHA3-384 hash: d6f109d733b3e02be3bb1d88bdd8a5e8dc59727b525954e5283008f8c74a588ac42eb722d6f11c4cfe80c71edf5aab6d
SHA1 hash: ae153477bff72e61f6e7cfe73aa27fc9fd3649ce
MD5 hash: 41373f51b2aaed613b4dd95c3a7fe8b9
humanhash: diet-maryland-beryllium-golf
File name:ORDER-8043222VN.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:465'920 bytes
First seen:2020-08-12 06:18:58 UTC
Last seen:2020-08-12 07:11:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7+grpiAuxBoKHvzo1fn2lZ4V5AbJPdeW:XQAuxpvRX4V50J
Threatray 5'318 similar samples on MalwareBazaar
TLSH F5A4D098366C73EEC8DB9D35996C3C10A6217D67971BE203940335AD5A3E6DA8F102F3
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: manda.com
Sending IP: 45.127.62.185
From: Smarth <mtrebejo@sanpablo.com.pe>
Subject: Request for Quote 8043222
Attachment: ORDER-8043222VN.z (contains "ORDER-8043222VN.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/43911/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43643223.27831.1506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/421412
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 263146 Sample: ORDER-8043222VN.exe Startdate: 12/08/2020 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Yara detected AntiVM_3 2->48 50 7 other signatures 2->50 10 ORDER-8043222VN.exe 7 2->10         started        process3 file4 32 C:\Users\user\AppData\...behaviorgraphbODdmmEWxm.exe, PE32 10->32 dropped 34 C:\Users\...behaviorgraphbODdmmEWxm.exe:Zone.Identifier, ASCII 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmp3DCC.tmp, XML 10->36 dropped 38 C:\Users\user\...\ORDER-8043222VN.exe.log, ASCII 10->38 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Injects a PE file into a foreign processes 10->62 14 ORDER-8043222VN.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 www.hkasgard.com 113.10.154.25, 49759, 80 NWT-AS-APASnumberforNewWorldTelephoneLtdHK Hong Kong 19->40 42 www.culss2.com 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 rundll32.exe 19->25         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be62fe48cc7e28c398424847ed5a73946fe0ae70f2af9980ffc68c57c2103550/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 06:20:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzrp4sgmpyumhgccjbd62wttsrx6bltq6kxztah7y2gfpqqqgvia._file
Verdict:
malicious
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
FormBook
347aa505ad319b4d8ee54aabe34dfc2af12b4747af23c6b635821ba9aedd0e32
FormBook
3ed07bacd6fc8880ef3e79d21c4d3c6397f95e027d663aea9af21c074b10f67b
FormBook
487d192d19c37c9d4841141d3a41248b70400caa0cdcaed3d94ac7d4f3782222
FormBook
a09022457c7802a48a3f2ef32b8008da65fb4b28b43c8e6ac37c44f0a3ecc028
FormBook
a63970797fb58518941452743a98384af7c90c90adbf9f18146d721105ec843a
FormBook
ae8a8ca63a358e0c9cd1ce5100464f1c1dbd2b7724632fffc5e15152c67dc6fb
FormBook
d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb
FormBook
e273d82c782a01c388cc619e6832bfb43301f4308884751b9393262302fc84c0
FormBook
fad88fa44fea006090c7d5dae844338afcd1b7c0de32b31ee4e074fcb9474f41
FormBook
+ 5'308 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200812-j3r24lys9e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.regulars6.info/mw4n/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/be62fe48cc7e28c398424847ed5a73946fe0ae70f2af9980ffc68c57c2103550

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z 6af83d4ffe674cb01e254e55da42af643e7c21ed5a85b2342164fea83cadeef5

FormBook

Executable exe be62fe48cc7e28c398424847ed5a73946fe0ae70f2af9980ffc68c57c2103550

(this sample)

  
Dropped by
MD5 13aff805f4ae8457cb1010904e51ca07
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6af83d4ffe674cb01e254e55da42af643e7c21ed5a85b2342164fea83cadeef5
Cape
Cape
https://www.capesandbox.com/analysis/43911/

Comments