MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40
SHA3-384 hash: 010ff671dca1f07bc296bd88a26f91ac9067dd1034f0e0c814138552f8d3674528f91d865fbc8fd20f546e11b9e00359
SHA1 hash: 9c40ca372df8dc8a76d6ccf62356859db368be4b
MD5 hash: ea4d18020e7f3f44fabaf4c1dd24f5a9
humanhash: salami-twenty-don-kilo
File name:Factura de clients_0010002345.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:463'872 bytes
First seen:2020-10-05 12:13:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:zqZQ/UJlFRsIWVYnSM0eJFtd1SkzmO4QVSOb6:zqjJGIrnSjiTq8VSf
Threatray 2'325 similar samples on MalwareBazaar
TLSH F3A4E03183846BABE3BC297AC4529121D3F0EE425232F79C7ED478D454F2745AB273A9
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: terregroup.pw
Sending IP: 64.225.98.54
From: Administracion <contact@terregroup.pw>
Reply-To: duldi@duldi.com
Subject: Factura de Clients
Attachment: Factura de clients_0010002345.rar (contains "Factura de clients_0010002345.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68207/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481454
Signature
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Detected FormBook malware
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293189 Sample: Factura de clients_0010002345.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 10 Factura de clients_0010002345.exe 3 2->10         started        process3 file4 41 C:\...\Factura de clients_0010002345.exe.log, ASCII 10->41 dropped 67 Injects a PE file into a foreign processes 10->67 14 Factura de clients_0010002345.exe 10->14         started        signatures5 process6 signatures7 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Maps a DLL or memory area into another process 14->71 73 Sample uses process hollowing technique 14->73 75 Queues an APC in another process (thread injection) 14->75 17 explorer.exe 14->17 injected process8 dnsIp9 43 www.keilu.com 107.151.124.189, 49742, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 17->43 45 www.ops-company.com 123.123.123.1, 80 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN China 17->45 55 System process connects to network (likely due to code injection or exploit) 17->55 21 systray.exe 1 18 17->21         started        signatures10 process11 file12 35 C:\Users\user\AppData\...3543logrv.ini, data 21->35 dropped 37 C:\Users\user\AppData\...3743logri.ini, data 21->37 dropped 57 Detected FormBook malware 21->57 59 Creates an undocumented autostart registry key 21->59 61 Tries to steal Mail credentials (via file access) 21->61 63 4 other signatures 21->63 25 cmd.exe 2 21->25         started        29 cmd.exe 1 21->29         started        signatures13 process14 file15 39 C:\Users\user\AppData\Local\Temp\DB1, SQLite 25->39 dropped 65 Tries to harvest and steal browser information (history, passwords, etc) 25->65 31 conhost.exe 25->31         started        33 conhost.exe 29->33         started        signatures16 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 07:03:38 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdmfzrtubckn2eztx6qgyn5tgsspgqoo7pit56h2qa3tfktirraa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
02426893e1fb6b3cc4dba759e7d85a0da3696d4753921487b49bddc629d6ff77
FormBook
23b880c48fec41fa4fc337f0ecb3d9cd5ee8f71cd45448049a35bbcb85bb01f5
FormBook
2467572968320c67ea46c765d9cdae94d3887e44d7af7e29b88f1b0e51fa4c01
FormBook
2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
FormBook
546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
FormBook
693c8d97b8f35a60fbe94951bcc62bfe7d98631591382a2a86300546c6fa95d0
FormBook
a4f595a974ae8b5dc406b75aebfb8f6d44ac822b14c8ba0619f0416a55be3986
FormBook
b3423777b1bafbe661edd1f4d3d98e72fcb48394764ddeb57bb913b881cf9177
FormBook
cb769b55a59aa7b729c8489980706fe32b77b941d1f8b9e1a1ff4b364a899408
FormBook
d732985d24a02a21df8e93598ea0431ae1e9a89a1afcac240e758130517d625e
FormBook
+ 2'315 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/201005-cxff96ffv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.climore.info/mye/
Unpacked files
SH256 hash:
01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a
MD5 hash:
eb593633270aa19162cf64663df9dd6c
SHA1 hash:
2ec57181471ff10abe9a04239ca3ea86ea4252b9
Link:
https://www.unpac.me/results/bb7cafc0-86c6-453c-b98d-7fcd82697483/
SH256 hash:
08b42c397b285e944d8926870f262d6e0699a20cc91e36c3c4f5b7132ae47013
MD5 hash:
dd7e92c475bc653fabbe1cdb68b90158
SHA1 hash:
cff431a83a8bde0ee2fadb1e303e346be209b778
Link:
https://www.unpac.me/results/bb7cafc0-86c6-453c-b98d-7fcd82697483/
SH256 hash:
03dbd793b445bee39b313be81a6dcaf8f04dd6975c29aca0a929732240fef44b
MD5 hash:
65a660d2c8667f8fb998e59edb7f6420
SHA1 hash:
e96d454248fe301feda2e5caafedbaca7c3af252
Link:
https://www.unpac.me/results/bb7cafc0-86c6-453c-b98d-7fcd82697483/
SH256 hash:
f87c809f46ed229fae636c96c8598fb83f9ba9f8737b3cc54d372320a913d921
MD5 hash:
7066abed631334de35d2440f8cdad302
SHA1 hash:
076dabf01ede762780e243f8fc32927f5410bd84
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/bb7cafc0-86c6-453c-b98d-7fcd82697483/
SH256 hash:
c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40
MD5 hash:
ea4d18020e7f3f44fabaf4c1dd24f5a9
SHA1 hash:
9c40ca372df8dc8a76d6ccf62356859db368be4b
Link:
https://www.unpac.me/results/bb7cafc0-86c6-453c-b98d-7fcd82697483/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 2d7a843b3c272271e42474dc4eb75d86df96de63e4668aba4b2a4edc3c65c9af

FormBook

Executable exe c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40

(this sample)

  
Dropped by
MD5 63547115fd077b2e336f68fe6a505010
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2d7a843b3c272271e42474dc4eb75d86df96de63e4668aba4b2a4edc3c65c9af
Cape
Cape
https://www.capesandbox.com/analysis/68207/

Comments