MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82
SHA3-384 hash: fce0fe71e1820a7c5af3be1f18f49fe0c1dbc1ee4e9ec4399ea06f317d25ff254a1576110649699ee511c5b7c0851fd5
SHA1 hash: beacf06cb417a1c420f68bdbbb95749cb9fa997e
MD5 hash: c4657321e3593494c5b3e307c992bbc1
humanhash: uranus-london-blue-bakerloo
File name:PI-292829.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:560'128 bytes
First seen:2020-10-19 06:30:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:EEPE4Rj6bDLjZwjjX/PkqCxx7gl7k0vLjLINpc8TvU:E25+bDhWz/ctxa
Threatray 2'446 similar samples on MalwareBazaar
TLSH 1FC46BD6E680E09DD9564E3D8520FC30B227FE77E96BE10654137DA55E3F382C9E20A2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: qq.com
Sending IP: 83.149.106.6
From: Jenny Chan <13409204634@qq.com>
Subject: RE: 回复: 回复: RE: Urgent: Proforma invoice
Attachment: PI-292829.txt.gz (contains "PI-292829.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72726/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Launching a process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494915
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299919 Sample: PI-292829.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 7 other signatures 2->42 7 PI-292829.exe 1 4 2->7         started        11 vlc.exe 1 2->11         started        13 vlc.exe 2->13         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->30 dropped 32 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\...\PI-292829.exe.log, ASCII 7->34 dropped 44 Adds a directory exclusion to Windows Defender 7->44 46 Injects a PE file into a foreign processes 7->46 15 PI-292829.exe 7->15         started        17 powershell.exe 25 7->17         started        19 vlc.exe 11->19         started        signatures5 process6 process7 21 WerFault.exe 23 9 15->21         started        24 conhost.exe 17->24         started        26 WerFault.exe 17 1 19->26         started        file8 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->28 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 23:36:36 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y5h36b6kulsfjvjazvsmg2jiujaifxwupjw62ksy4muhwpm53oba._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
Formbook
6bb732e1c22295b2fa6970a286225d14bd7c6fabef714f9b20c3a622bb8e7645
Formbook
767fc756f86db0b4de57b4ec14964f24af0e47eb23ba7fa1df6378bcf9986947
Formbook
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Formbook
9abd8b37403ea5e7b381e0644acc6655dc01efc4be1edf69992c5a68c33eff1f
Formbook
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
Formbook
bdad93534a202f7d3c2f102dc39093fa12a32f5de82c76a5fb41a94e1748d99e
Formbook
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Formbook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
Formbook
ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54
Formbook
+ 2'436 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat persistence trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201019-zk4ga2558e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Formbook Payload
ServiceHost packer
Formbook
Unpacked files
SH256 hash:
c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82
MD5 hash:
c4657321e3593494c5b3e307c992bbc1
SHA1 hash:
beacf06cb417a1c420f68bdbbb95749cb9fa997e
Link:
https://www.unpac.me/results/11d405f0-9f80-4129-b732-91b8473bd8a4/
SH256 hash:
6103312868386c211ef07090d3ccb1c75b55752fb01f7c2a8d748fd7b1769bd3
MD5 hash:
ec16dc5f86db12acc90a189c52ab8ea3
SHA1 hash:
7a8b83cebc741ea08cad655d3baafc8418aaa57f
Link:
https://www.unpac.me/results/11d405f0-9f80-4129-b732-91b8473bd8a4/
SH256 hash:
5335c18b0a175e0633cb19b127479d1e8f427e75dd845bf96f7c0568f76cb7ce
MD5 hash:
b551f3d2fa131f35f6d783b861ed6e22
SHA1 hash:
b4660f5b47a98486b5418f66c98b02874ec45874
Link:
https://www.unpac.me/results/11d405f0-9f80-4129-b732-91b8473bd8a4/
SH256 hash:
9b6b3a20439fb1d41f588f988341909b07d49cea3db49bfa98e98d31ad5e8ccd
MD5 hash:
438cb209928f628186548d9425bfc529
SHA1 hash:
c81bbc389840f94832e34c60e78792991b23ce6d
Link:
https://www.unpac.me/results/11d405f0-9f80-4129-b732-91b8473bd8a4/
SH256 hash:
c61e1b3cd39a7516d54659415e0b0c66e52cffa5fcf759bc48b3fd3abdbae8bf
MD5 hash:
924f8739795ecbe6241e0b6622a4363e
SHA1 hash:
11e6a5dc3042a87089c719ce7fff9cc5f6609a15
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/11d405f0-9f80-4129-b732-91b8473bd8a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz b13d431a07f4f60bac10cfeae185552509c0efee7d9de7c369d5b63a4b9db4a2

Formbook

Executable exe c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82

(this sample)

  
Dropped by
MD5 b3a28cce02888a20b0a9b935fb7b2eaa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b13d431a07f4f60bac10cfeae185552509c0efee7d9de7c369d5b63a4b9db4a2
Cape
Cape
https://www.capesandbox.com/analysis/72726/

Comments