MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde
SHA3-384 hash: b979df5c9407fa97b5c42c6110aceffe9e8e57ee9ab0a11222b22f3f0d2647f7f8766361bc1b851e3ca8dedf18c23834
SHA1 hash: 58087be69878fde874bcb73af375c187d86b5595
MD5 hash: 01224d2ff19110aa9093b31ed5d75877
humanhash: fourteen-romeo-victor-alabama
File name:SHANGHAI.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:748'544 bytes
First seen:2020-07-20 07:58:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:yuNE31q9I6/kldSCGDyaod+ik4g8y3SoDBNYO/zHKM4r+9XWfZEA:yu23OPW2rEloDBiO/rKM4r8mfZE
Threatray 4'947 similar samples on MalwareBazaar
TLSH 65F4E0C99AA05400D2ED3FF99E628A744731BD09F5F1930F1BC4AC9F293A793D854762
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: truegreen-cn.cam
Sending IP: 111.90.140.74
From: account@truegreen-cn.cam <account@truegreen-cn.cam>
Subject: RE: RE: SHANGHAI QUOTATION
Attachment: SHANGHAI.rar (contains "SHANGHAI.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28692/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.3004.30978.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391037
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247836 Sample: SHANGHAI.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 8 other signatures 2->74 10 SHANGHAI.exe 5 2->10         started        process3 file4 48 C:\Users\user\AppData\...\VyasyukbjAC.exe, PE32 10->48 dropped 50 C:\Users\...\VyasyukbjAC.exe:Zone.Identifier, ASCII 10->50 dropped 52 C:\Users\user\AppData\Local\...\tmp6452.tmp, XML 10->52 dropped 54 C:\Users\user\AppData\...\SHANGHAI.exe.log, ASCII 10->54 dropped 82 Tries to detect virtualization through RDTSC time measurements 10->82 84 Injects a PE file into a foreign processes 10->84 14 SHANGHAI.exe 10->14         started        17 schtasks.exe 1 10->17         started        19 SHANGHAI.exe 10->19         started        21 SHANGHAI.exe 10->21         started        signatures5 process6 signatures7 86 Modifies the context of a thread in another process (thread injection) 14->86 88 Maps a DLL or memory area into another process 14->88 90 Sample uses process hollowing technique 14->90 92 Queues an APC in another process (thread injection) 14->92 23 explorer.exe 4 14->23 injected 28 conhost.exe 17->28         started        process8 dnsIp9 62 www.regulars5.com 199.192.29.70, 49737, 80 NAMECHEAP-NETUS United States 23->62 64 www.kingbogroup.com 23->64 66 www.akomik-hentaei.men 23->66 46 C:\Users\user\AppData\...\cjoplj6lbxn2e.exe, PE32 23->46 dropped 78 System process connects to network (likely due to code injection or exploit) 23->78 80 Benign windows process drops PE files 23->80 30 control.exe 1 19 23->30         started        file10 signatures11 process12 file13 56 C:\Users\user\AppData\...\3N5logrv.ini, data 30->56 dropped 58 C:\Users\user\AppData\...\3N5logri.ini, data 30->58 dropped 60 C:\Users\user\AppData\...\3N5logrf.ini, data 30->60 dropped 94 Detected FormBook malware 30->94 96 Tries to steal Mail credentials (via file access) 30->96 98 Tries to harvest and steal browser information (history, passwords, etc) 30->98 100 3 other signatures 30->100 34 cmd.exe 2 30->34         started        38 cmd.exe 1 30->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 34->44 dropped 76 Tries to harvest and steal browser information (history, passwords, etc) 34->76 40 conhost.exe 34->40         started        42 conhost.exe 38->42         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 08:00:10 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2gnbgn55d7jvgtvlxppw3nxealpjykmw5xz3joxbxmioqxl3lppa._file
Verdict:
malicious
Similar samples:
032f594e26c4a20fc56b06210d294f7134f6c9a51cf30b7125db4683465a6643
FormBook
0698cbff335f16544c0a97a71df4f0e52ee4dbddf3cadad2ee0ac52103ea8ed2
FormBook
0ec9f68c897e49e8f0158931b397bba4d5207511d5c05c36038adcddfb3bae88
FormBook
3cc2675e93622e4c76e7af2100e3bda43f0ce0065557d1e66b9e44123351b9c0
FormBook
7ffbd591d72f33b826c40da82f5f72195ca4af6a311bb934862f3cd190d4fdad
FormBook
836d479354578427f7cc678351df35175bc6e4b6a75bd936b1945b961f808a88
FormBook
880bba3fa9d2e255ad00cc35d53aa361bcdf739d16064d669a4b21b9a8034f73
FormBook
aed6c9d200b86186575d13e40ed7231c61bba34c0159c19ca6428168019da4f9
FormBook
c8d4a30dc6aa1224dd98bbb384b54e90ee845cbb0e0e591964868a0be5657897
FormBook
d4f9f7cd2d03cd2a1ede00200777caac9bd3ca5c337ce6bf6e15a3ff8e53f844
FormBook
+ 4'937 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-6e1j8l5cjx/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar e00c2cbddd7527b7690f9cb970bd57fa04f35be4f6f7c10bea66fe2ad73a832d

FormBook

Executable exe d19a1337bd1fd3534eabbbdf6db6e402de9c2996edf3b4bae1bb10e85d7b5bde

(this sample)

  
Dropped by
MD5 2e5b2385852ddc28dfcfce8d43cd52d2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28692/
  
Dropped by
SHA256 e00c2cbddd7527b7690f9cb970bd57fa04f35be4f6f7c10bea66fe2ad73a832d

Comments