MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0
SHA3-384 hash: 0b9297b8430895d3588e77303780b049462dc200a8f558bca02a92246caaeff82e74aa778daa5e1c0a6b69eb9b8c4496
SHA1 hash: 1597c510081e255c894433f6088828c4dca23861
MD5 hash: 97e3d071f835f5b071dc5e1cb72b6113
humanhash: march-pizza-oranges-ink
File name:BL_4050669430_PDF.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:790'016 bytes
First seen:2020-10-20 07:25:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:N+N0/J2iNli3hZXUbIfPTsF46eqbjbUPVGYM0EJwMEH/4TH+zJalOmGvpCTTqRT9:Nzh1ni3hybIfPA+N6Fez
TLSH 4FF48CAD761072DEC867C9B2CA541C64FBA0787B431BE243906325ADDE5E897DF201F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: box.dhlconnext.xyz
Sending IP: 192.236.209.13
From: EPSA EXCAVACIONES MX. S.A. DE C.V. <office@dhlconnext.xyz>
Subject: Re: B/L# 4050669430
Attachment: BL_4050669430 DOC_PDF.IMG (contains "BL_4050669430_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73275/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Forced shutdown of a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497181
Signature
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300753 Sample: BL_4050669430_PDF.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 8 other signatures 2->51 10 BL_4050669430_PDF.exe 3 2->10         started        process3 file4 37 C:\Users\user\...\BL_4050669430_PDF.exe.log, ASCII 10->37 dropped 65 Writes to foreign memory regions 10->65 67 Injects a PE file into a foreign processes 10->67 14 vbc.exe 10->14         started        signatures5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 2 other signatures 14->75 17 explorer.exe 14->17 injected process8 dnsIp9 39 shops.myshopify.com 23.227.38.64, 49744, 49747, 49748 CLOUDFLARENETUS Canada 17->39 41 forthepeoplefunding.com 184.168.131.241, 49734, 49735, 49736 AS-26496-GO-DADDY-COM-LLCUS United States 17->41 43 4 other IPs or domains 17->43 53 System process connects to network (likely due to code injection or exploit) 17->53 21 NETSTAT.EXE 18 17->21         started        signatures10 process11 file12 31 C:\Users\user\AppData\...\448logrv.ini, data 21->31 dropped 33 C:\Users\user\AppData\...\448logri.ini, data 21->33 dropped 55 Detected FormBook malware 21->55 57 Tries to steal Mail credentials (via file access) 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 61 3 other signatures 21->61 25 cmd.exe 2 21->25         started        signatures13 process14 file15 35 C:\Users\user\AppData\Local\Temp\DB1, SQLite 25->35 dropped 63 Tries to harvest and steal browser information (history, passwords, etc) 25->63 29 conhost.exe 25->29         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0/
Threat name:
Win32.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 22:49:18 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yuqzyh4vn7r72urzrgqubq27f754xr6xsimcmkrj62tgbgcroxaa._file
Verdict:
unknown
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/201020-dzlsftgpw2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.skailanirecruiting.com/rzt/
Unpacked files
SH256 hash:
c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0
MD5 hash:
97e3d071f835f5b071dc5e1cb72b6113
SHA1 hash:
1597c510081e255c894433f6088828c4dca23861
Link:
https://www.unpac.me/results/a52ff428-edb3-4d51-8df0-40fb906a568e/
SH256 hash:
d9d6049aaa76cf565655500ece3fce41255478f48cd1cfa7ac9c477649c6cdf8
MD5 hash:
1cfce4efe322f1c901d5cc7f65a55843
SHA1 hash:
b4cd164010bc64aff28e51c09a1b8813a43344ef
Link:
https://www.unpac.me/results/a52ff428-edb3-4d51-8df0-40fb906a568e/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/a52ff428-edb3-4d51-8df0-40fb906a568e/
SH256 hash:
ec64ff68ba9b511f75a9278c14e4a01004f421d566799d4ec9e4b246628c9633
MD5 hash:
a24f929d1a9070876541f66fedcd4438
SHA1 hash:
f08ac84c08f403aa6e3220e34b27448795f376fd
Link:
https://www.unpac.me/results/a52ff428-edb3-4d51-8df0-40fb906a568e/
SH256 hash:
1012895ff8985de127b3aa8a24dd0acf16509c9a9a68b0eef3b28463fd61d2ea
MD5 hash:
aee42f7575eafc4c75ab86b9c98df77c
SHA1 hash:
21b98de1c00b6ea67dcade532c29306dff331850
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/a52ff428-edb3-4d51-8df0-40fb906a568e/
Parent samples :
c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0
5943e0f810c211de134f7225c22c1d453da8acb0b6774b86b60eeb084b61a37a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img cb4c76e46e345870263202cbabf1ec6e82dd4aeb90bb214fdb868e47bb60aff7

FormBook

Executable exe c5219c1f956fe3fd523989a140c35f2ffbcbc7d79218262a29f6a660985175c0

(this sample)

  
Dropped by
MD5 69797c7f3a34f3447b8125d0eee0815e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73275/
  
Dropped by
SHA256 cb4c76e46e345870263202cbabf1ec6e82dd4aeb90bb214fdb868e47bb60aff7

Comments