MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b
SHA3-384 hash: be9eb46f803cc9b2d54ced29fa18783d8bb500c1c2ccc4ee12def4c7783525dbf42cdc19037f54f51328ed4ff9edff9e
SHA1 hash: d69bed5b1751958cb9bb667539a5c6422f2c1492
MD5 hash: a3eea48c7d0cd1c1ac13ff3bf81ce5ff
humanhash: pluto-mango-skylark-double
File name:E-Fatura_UNI2020000052912.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:630'784 bytes
First seen:2020-10-02 11:05:21 UTC
Last seen:2020-10-02 11:57:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EfkvTYBcDUiRWshAgd2ptNiNZ9c5mbjCQg2WOesJcaC:Kcjdd2m6sGQ5Wraca
Threatray 2'252 similar samples on MalwareBazaar
TLSH CFD4021072A5D529EBFB0D72153281108E71FC769672EB8F5CCE38EE5ABAB445702B13
Reporter theDark3d
Tags:exe FormBook malware

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67733/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.17739.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480173
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292526 Sample: E-Fatura_UNI2020000052912.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 31 www.viewpano.xyz 2->31 33 www.chsepd.com 2->33 35 4 other IPs or domains 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 11 E-Fatura_UNI2020000052912.exe 3 2->11         started        signatures3 process4 file5 29 C:\...-Fatura_UNI2020000052912.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 15 E-Fatura_UNI2020000052912.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 37 hbozoom.com 34.102.136.180, 49746, 49747, 49765 GOOGLEUS United States 18->37 39 beastmodemoving.com 160.153.136.3, 49749, 80 GODADDY-AMSDE United States 18->39 41 8 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 help.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-10-02 11:07:06 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2cbu3hb3dq3cfcpasbjillvqwkcjbtc6vs2xkieayzkty5ouwafq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e1253abec933b14f592f8ab6fcfaeba8fb3b9d24f9ef2a7021345d2fc738b3f
Formbook
1277fb7fda4e11d5c61a6c07df4af7712070f01e002d54683c879c23e739519f
Formbook
1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656
Formbook
375426a8a107b6dffc4876f9aa54782cee5f767dba75fee84084490deb399b46
Formbook
4077e5eeadfc447b88c36f638c37adc77ee35766a737e4a7aca64e61f2ef3d1a
Formbook
62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab
Formbook
6f196fa55e6b02ee407f238eba897e8ae1a213a45603c526141a0c66f26e8c51
Formbook
b2d8df96514495cb6b3fe66a6d61e70b8b6e92426910db93f7ae521be4fd2762
Formbook
bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
Formbook
e86665f5f4cb843757815bce9f8311678c1bc32cdc6537ccc3aedc4502dca4a8
Formbook
+ 2'242 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/201002-vsz8njc8v6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.chsepd.com/agwz/
Unpacked files
SH256 hash:
d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b
MD5 hash:
a3eea48c7d0cd1c1ac13ff3bf81ce5ff
SHA1 hash:
d69bed5b1751958cb9bb667539a5c6422f2c1492
Link:
https://www.unpac.me/results/c284e43f-9544-4bad-87e7-d2938d88b398/
SH256 hash:
5a39c6c6796c30dc8ef7c04418837545235e4112216baa5890e2feaa03cd595c
MD5 hash:
ab3117a0ada2a083fc2e6d8bf3c94d66
SHA1 hash:
8c2ebbc5b1f12ed1f94a3f6f1cd2445ec23479e9
Link:
https://www.unpac.me/results/c284e43f-9544-4bad-87e7-d2938d88b398/
SH256 hash:
e0f1f79b7a1e0479c53c843a8ea203ecd06904c0e62c6caea57e1e18b633fc26
MD5 hash:
5b55ea896a010fc6fc2153f8d024fdef
SHA1 hash:
9b53617683dbafa76a71a0ed64e8d12caa0f79af
Link:
https://www.unpac.me/results/c284e43f-9544-4bad-87e7-d2938d88b398/
SH256 hash:
5dba2d615353e5daa903cd50fd4bd53c61a1f87a09757a966a2b20715bee3cc0
MD5 hash:
b74cd897a34d1f2d2f0a8b1f2cb11a1b
SHA1 hash:
3d011e22c93fa75c131122ceaac39b7693fcd279
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c284e43f-9544-4bad-87e7-d2938d88b398/
Parent samples :
d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b
00c31ece69362a5cccc665bc1d57b48240d5bf53cbb159cb72b26454849e798e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0834d9c3b1c362289e0905285aeb0b28490cc5eacb5752080c6553c75d4b00b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_nymaim_g0
Create hunting rule
Author:mak, msm, CERT.pl

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67733/

Comments