MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752
SHA3-384 hash: b456a77cf0677f1a2cd7d24c09af7830930be4ddf68c2ab87b457f386b97680dbadcd2a1b9d13d5a0d4a2b662b056e69
SHA1 hash: d35c5cb1ae570a780b9a80de302085b8bc375c8a
MD5 hash: 063c607798c41aa1315808c90bd7d4d0
humanhash: lithium-pasta-apart-early
File name:Sample Inv400788.Scan.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:625'152 bytes
First seen:2020-10-08 13:13:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:PiDSEZ7jPslkpNSqj7EttOvwRURLQartMOUIAvK9tXG8I6:PmoENl6wXREart
Threatray 2'341 similar samples on MalwareBazaar
TLSH 71D4D06C76507ADFC817C976CA686C60EA2078BB930BD207A01316ED9E1D6DBCF115F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vps.shvietnam-vn.com
Sending IP: 45.95.169.113
From: info@shvietnam-vn.com
Subject: Re: Confirm availability of attached Products
Attachment: Sample Inv400788.Scan.z (contains "Sample Inv400788.Scan.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69260/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485494
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 295299 Sample: Sample Inv400788.Scan.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 42 www.canadelstores.com 2->42 44 canadelstores.com 2->44 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 9 other signatures 2->64 10 Sample Inv400788.Scan.exe 3 2->10         started        signatures3 process4 file5 40 C:\Users\...\Sample Inv400788.Scan.exe.log, ASCII 10->40 dropped 68 Injects a PE file into a foreign processes 10->68 14 Sample Inv400788.Scan.exe 10->14         started        signatures6 process7 signatures8 70 Modifies the context of a thread in another process (thread injection) 14->70 72 Maps a DLL or memory area into another process 14->72 74 Sample uses process hollowing technique 14->74 76 Queues an APC in another process (thread injection) 14->76 17 explorer.exe 1 18 14->17         started        21 explorer.exe 1 14->21 injected process9 dnsIp10 34 C:\Users\user\AppData\...\6KPlogrv.ini, data 17->34 dropped 36 C:\Users\user\AppData\...\6KPlogri.ini, data 17->36 dropped 48 Detected FormBook malware 17->48 50 Tries to steal Mail credentials (via file access) 17->50 52 Tries to harvest and steal browser information (history, passwords, etc) 17->52 56 3 other signatures 17->56 24 cmd.exe 2 17->24         started        28 cmd.exe 1 17->28         started        46 www.lorientalappetizers.com 35.208.62.224, 49775, 80 GOOGLE-2US United States 21->46 54 System process connects to network (likely due to code injection or exploit) 21->54 file11 signatures12 process13 file14 38 C:\Users\user\AppData\Local\Temp\DB1, SQLite 24->38 dropped 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 30 conhost.exe 24->30         started        32 conhost.exe 28->32         started        signatures15 process16
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 06:51:03 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6dqk7aawuk6frghrfugkc2zpc43nfvjm2hogpmc3bvgepk4k5ja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19f43d1f8fd11eccbdb2d9ce05a16983fe394cbd92943bc57943e4bbbb686687
FormBook
30b4c1056fb6b1568249421bb9a8fac66267e60b49d090d718943ba40ed24151
FormBook
3bc2e6f78c3a261a13546f719d6b089dab1730e8f6539d7ab7a319fc3e410270
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
4170e48189174a9cc84f6c019f454a20e30a35605be0f8e2a3e26a516e2c1090
FormBook
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
FormBook
b8ee3458736fa73672b43a4c55e136bafc48b215dcb89dac28b5865ab59fc99c
FormBook
d34f87c6a070f4f73344156c16be7040f2932053aea2868e98b0fa4297113835
FormBook
+ 2'331 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201008-zdqxpzqy8s/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.toolsup.online/so6/
Unpacked files
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/0fcbc90c-d078-4949-a21f-80922f20063d/
SH256 hash:
c34c5cf2c594f06d4c806069feb47bd2868770242e925c0a4cf879a836f8408b
MD5 hash:
3c835c45f93f28bc73a48ade20e0c534
SHA1 hash:
e83529ccf15441f1484a8c7c18f4e6ccf02a37ba
Link:
https://www.unpac.me/results/0fcbc90c-d078-4949-a21f-80922f20063d/
SH256 hash:
2137177e167a4806bdde13fef46b4ae8db23c77ce04a1c0013dc3aea54098d32
MD5 hash:
7c6f0d3b1130f4d21ef0fd4eb295ec66
SHA1 hash:
d6c1477c3d837df94bde80c677f3d8a1e54af6f6
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/0fcbc90c-d078-4949-a21f-80922f20063d/
Parent samples :
30b4c1056fb6b1568249421bb9a8fac66267e60b49d090d718943ba40ed24151
c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752
SH256 hash:
c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752
MD5 hash:
063c607798c41aa1315808c90bd7d4d0
SHA1 hash:
d35c5cb1ae570a780b9a80de302085b8bc375c8a
Link:
https://www.unpac.me/results/0fcbc90c-d078-4949-a21f-80922f20063d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 83d26c7db3fa6538dfdd5e282e3a3cc943d272a8878e22d8b63852efab706040

FormBook

Executable exe c787057c00b515e2c4c78968650b5978b9b696a9668ee33d82d86a623d5c5752

(this sample)

  
Dropped by
MD5 15743ce81dfdcadbd22dcc4a06d89ed5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69260/
  
Dropped by
SHA256 83d26c7db3fa6538dfdd5e282e3a3cc943d272a8878e22d8b63852efab706040

Comments