MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03
SHA3-384 hash: 5731aedb50b95788ec27b6bf89bd09cc8f0495c550af627cedc4aeae0a2bbf510a05064f71166d8b157a4f59e7432c9a
SHA1 hash: e7360c15d4cc0dc0fa3ff747b64d6c0a52e41861
MD5 hash: 7d7e555fa23b77a241816576939337e7
humanhash: lithium-arizona-spaghetti-leopard
File name:nuovo ordine.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:400'896 bytes
First seen:2020-08-05 08:11:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:PDBP8dQvDotx6LrIAdixZi4//j/Rarre8cfWn:LBP8KvkLtjfiE/7UW
Threatray 5'089 similar samples on MalwareBazaar
TLSH 8D84E01C36E0555EF2BE4E3F5C7011839D22F94FCE26C68B2AB62139057E55CAC25FA2
Reporter abuse_ch
Tags:exe FormBook geo ITA


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server107.neubox.net
Sending IP: 174.136.28.112
From: Darko Petrović <proveedores@promedic.com.mx>
Subject: Re: Re: nuova richiesta d'ordine
Attachment: nuovo ordine.zip (contains "nuovo ordine.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39171/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.32362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410513
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257520 Sample: nuovo ordine.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 43 www.buzhouorg.com 2->43 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Yara detected AntiVM_3 2->55 57 6 other signatures 2->57 11 nuovo ordine.exe 5 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\iaSzQzjCf.exe, PE32 11->35 dropped 37 C:\Users\...\iaSzQzjCf.exe:Zone.Identifier, ASCII 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB9A6.tmp, XML 11->39 dropped 41 C:\Users\user\...\nuovo ordine.exe.log, ASCII 11->41 dropped 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Injects a PE file into a foreign processes 11->65 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        20 schtasks.exe 1 11->20         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 22 explorer.exe 15->22 injected 81 Tries to detect virtualization through RDTSC time measurements 18->81 26 conhost.exe 20->26         started        process9 dnsIp10 45 www.315px.com 172.252.94.14, 49734, 80 EGIHOSTINGUS United States 22->45 47 www.voizers.com 22->47 49 www.edgaralanbro.com 22->49 59 System process connects to network (likely due to code injection or exploit) 22->59 28 msiexec.exe 22->28         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Maps a DLL or memory area into another process 28->69 71 Tries to detect virtualization through RDTSC time measurements 28->71 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 01:39:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yn5v3n4qzkvns2zk4kizccadualm3lrdbn2dxqqctiq55wc3t4bq._file
Verdict:
malicious
Similar samples:
5919e2d01fbc46e0aedd07630294976681fbb688e1b226dab43e60309747a877
Formbook
6d176caf6c21bdc47aa0ee2e6e42f37d2f4c4a810af40dd7343da25cfd306bd5
Formbook
7df633d240b956e23b7328ae7121f7efc2a80090dbe38f2e0138d90084a795fe
Formbook
9bd3202d7f71a48a80d612198106d7180c0e0350a79c970863ec0cd19cc6b47a
Formbook
aa4fad19caeb7d4d9abd68155eee268619442c6cfc8a69c2bc337dd4efdf4b4d
Formbook
bc207dbe79daf9a2da67fd90beef3fbe5db670288fd9c1da72ccda9c65d3d028
Formbook
c2100ac52466885fcb64010897d0c7a4178a5c00c47e13261f66976b38f26aaf
Formbook
e3262e18e77da24473b5af2117f10a3121c8ed1a832c6e1b0f5a8f0d7e5fecda
Formbook
f19931c3ed4df0c75c53daf0e7af1cfe86fc369b0fe99c1557f0b3708a78e868
Formbook
f4156e15b465020e6687a23a63eb4b7c84a18f90ead4665087c6c2e5a09b455d
Formbook
+ 5'079 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence spyware trojan stealer family:formbook evasion
Link:
https://tria.ge/reports/200805-4aetk2mjks/
Behaviour
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 3614d38f71c129eda85ef01488a00a61661e3bb0c7963b15fb6a3cbffdc54ba4

Formbook

Executable exe c37b5db790caaad96b2ae291910803a016cdae230b743bc2029a21ded85b9f03

(this sample)

  
Dropped by
MD5 74cd37196f1ab70f0bcfdcd20415f1c3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39171/
  
Dropped by
SHA256 3614d38f71c129eda85ef01488a00a61661e3bb0c7963b15fb6a3cbffdc54ba4

Comments