MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d
SHA3-384 hash: d5047807ad933ae76e4f45fd1920207a773c5989dded26e31ce787ee251784bfaf16148fe90f2cc51b4c3c6a6ce14f1a
SHA1 hash: 0f534881d7566b156370c20a0076a3fe2e1daf4a
MD5 hash: 62e1de2ff09af0750214638c70a1d633
humanhash: bluebird-ink-missouri-carbon
File name:#Order7825 _Approval_2020_Purschase.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:488'960 bytes
First seen:2020-07-16 15:45:25 UTC
Last seen:2020-07-16 16:56:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:A3b9v2k4zUgPcQX2gIYy47UqrFY6bZ6iwKz5iErh7:moPcVS3BhZ6iwK
Threatray 5'171 similar samples on MalwareBazaar
TLSH 45A46BDC3510719EC81E8D768964DC70AA206D66F7FBE20763C36E9F793C697CA011A2
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26878/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.1963.32635.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388686
Signature
Benign windows process drops PE files
Detected FormBook malware
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246517 Sample: #Order7825 _Approval_2020_P... Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 58 www.tongdaifptcantho.com 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 7 other signatures 2->66 11 #Order7825 _Approval_2020_Purschase.exe 1 2->11         started        signatures3 process4 file5 50 #Order7825 _Approv...0_Purschase.exe.log, ASCII 11->50 dropped 14 #Order7825 _Approval_2020_Purschase.exe 11->14         started        process6 signatures7 82 Modifies the context of a thread in another process (thread injection) 14->82 84 Maps a DLL or memory area into another process 14->84 86 Sample uses process hollowing technique 14->86 88 Queues an APC in another process (thread injection) 14->88 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 54 www.zjlthk.net 156.239.95.35, 49736, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 17->54 56 www.savannamotors.com 17->56 42 C:\Users\user\AppData\...\pnutnljlxtdxx0.exe, PE32 17->42 dropped 68 System process connects to network (likely due to code injection or exploit) 17->68 70 Benign windows process drops PE files 17->70 22 mstsc.exe 1 19 17->22         started        26 pnutnljlxtdxx0.exe 1 17->26         started        28 raserver.exe 17->28         started        file10 signatures11 process12 file13 44 C:\Users\user\AppData\...\9-Alogrv.ini, data 22->44 dropped 46 C:\Users\user\AppData\...\9-Alogri.ini, data 22->46 dropped 48 C:\Users\user\AppData\...\9-Alogrf.ini, data 22->48 dropped 72 Detected FormBook malware 22->72 74 Tries to steal Mail credentials (via file access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 80 2 other signatures 22->80 30 cmd.exe 2 22->30         started        34 cmd.exe 1 22->34         started        36 pnutnljlxtdxx0.exe 26->36         started        78 Tries to detect virtualization through RDTSC time measurements 28->78 signatures14 process15 file16 52 C:\Users\user\AppData\Local\Temp\DB1, SQLite 30->52 dropped 90 Tries to harvest and steal browser information (history, passwords, etc) 30->90 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started        92 Modifies the context of a thread in another process (thread injection) 36->92 94 Maps a DLL or memory area into another process 36->94 96 Sample uses process hollowing technique 36->96 signatures17 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd48e7228ffe8ca44b77d71d3fabd0d77b07a7c6cae4239ea83568389c20731d/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 15:41:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
Formbook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
Formbook
33c7844de9677b2c4be5d2a81442404c46ed64d8e0f11214005aee8b7dd2c9be
Formbook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
Formbook
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
Formbook
a9089afb7795019bd9b1a2395b387a6c9957d499f10ff2929bf8d65c9913f453
Formbook
afc658f07e5da5c8071754e973e37fb7712e1f13a5a23a6baf440cd35e60fd76
Formbook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
Formbook
ecb66b3c2799764e4b3a10e4197fe47f1fe3f60ab10ad1c76733d712fb674873
Formbook
ed3e93996b60fbaeb82c59f62dc3dcee809b229748ad7772829a8f738e307cbd
Formbook
+ 5'161 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-knjj7smtla/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/26878/

Comments