MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d07c9a8f59310a384561cfd4b54888ab7ac994487d5ce7512a494969bad24633. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d07c9a8f59310a384561cfd4b54888ab7ac994487d5ce7512a494969bad24633
SHA3-384 hash: 8e491920ededef37b26a3ca24026b8b1cbe1f38bbf0295053db6b65db3d99bdb914360cb6b4cc72996b87c2053bb75c4
SHA1 hash: a49d90076da6e9e96490a85f1067cc3908a2ce64
MD5 hash: d9b20a4cd636bddd087f874af43cb941
humanhash: twenty-triple-wisconsin-hot
File name:NEW ORDER BALANCE PAYMENT.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:548'352 bytes
First seen:2020-07-22 10:05:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:VKjbStvsOPUm2iNSR0Es/8B0pKWGUkMpolXO5:VOOcm1LGSvkMpZ
Threatray 5'683 similar samples on MalwareBazaar
TLSH BAC48C23A6BCC6E5FA4C3EB5915447505A756D1A12F6E20BDA4FFCC8D933603C312AE2
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31071/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with Startup directory
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394893
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249846 Sample: NEW ORDER BALANCE PAYMENT.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 6 other signatures 2->61 10 NEW ORDER BALANCE PAYMENT.exe 5 2->10         started        process3 file4 43 C:\Users\user\AppData\Roaming\aSvWGw.exe, PE32 10->43 dropped 45 C:\Users\user\AppData\Local\...\tmpB256.tmp, XML 10->45 dropped 47 C:\...47EW ORDER BALANCE PAYMENT.exe.log, ASCII 10->47 dropped 13 NEW ORDER BALANCE PAYMENT.exe 10->13         started        16 schtasks.exe 1 10->16         started        process5 signatures6 75 Modifies the context of a thread in another process (thread injection) 13->75 77 Maps a DLL or memory area into another process 13->77 79 Sample uses process hollowing technique 13->79 81 Queues an APC in another process (thread injection) 13->81 18 explorer.exe 1 6 13->18 injected 23 conhost.exe 16->23         started        process7 dnsIp8 49 www.berlinda-va.net 134.119.253.52, 49716, 80 GD-EMEA-DC-CGN1DE Germany 18->49 51 www.yangzhie288.com 18->51 53 www.hbyrby.com 18->53 35 C:\Users\user\AppData\Local\...\vpxdhb6h.exe, PE32 18->35 dropped 63 System process connects to network (likely due to code injection or exploit) 18->63 65 Benign windows process drops PE files 18->65 25 cmmon32.exe 1 18 18->25         started        29 vpxdhb6h.exe 18->29         started        file9 signatures10 process11 file12 37 C:\Users\user\AppData\...\940logrv.ini, data 25->37 dropped 39 C:\Users\user\AppData\...\940logri.ini, data 25->39 dropped 41 C:\Users\user\AppData\...\940logrf.ini, data 25->41 dropped 67 Detected FormBook malware 25->67 69 Tries to steal Mail credentials (via file access) 25->69 71 Tries to harvest and steal browser information (history, passwords, etc) 25->71 73 3 other signatures 25->73 31 cmd.exe 1 25->31         started        signatures13 process14 process15 33 conhost.exe 31->33         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d07c9a8f59310a384561cfd4b54888ab7ac994487d5ce7512a494969bad24633/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 10:07:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2b6jvd2zgefdqrlbz7klkseivn5mtfcipvoooujkjfewtowsiyzq._file
Verdict:
malicious
Similar samples:
2a2a628e23fa234e422aa5edcb6718f54e5caa2822ee10950a30619d9e9b0534
FormBook
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
FormBook
476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
FormBook
49aaf4ae6bf7f60a07c4ffc43ca0be27fce694446436dd07aac5db362142c2c8
FormBook
75fc0beb16fbe8af2f46d2cfcb7176af4289430516d74017d1a32cd0c37859c0
FormBook
9256cc7129421443ba770b55f01042e58fa5af856df1db31e830f147213c2a1c
FormBook
afd354c93f9c9ad2324dd4ecd1e58041f373f1b3360ef8ce2792e437bd104a8d
FormBook
d5dd3977cdc2602a68093c08e166b1508253ef0934f986d00be980e47b7c50f9
FormBook
dec608206e941da5042333c8e35fe01bb17e50cc67ec58b03e872694cb5e219b
FormBook
f8a0ada1c983c16a3ff6b107c2a04cac970e51ba9bec2514771271af03b7b9fc
FormBook
+ 5'673 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200722-s7vk5759mx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d07c9a8f59310a384561cfd4b54888ab7ac994487d5ce7512a494969bad24633

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

Executable exe d07c9a8f59310a384561cfd4b54888ab7ac994487d5ce7512a494969bad24633

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/31071/

Comments