MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1fbc7054235d4485a668fd7da82d4dd71e9c0b387c3214c9a593213634a5fd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1fbc7054235d4485a668fd7da82d4dd71e9c0b387c3214c9a593213634a5fd2
SHA3-384 hash: 419a101eb8c6f072db7da0df68dae98ca1845b41e0b436817c2cba88deb8e273a8a8b54b28a1420e0fbac5fbd5de167f
SHA1 hash: 2dce7461b44f53628bdc26a99a312b7d3ba3675d
MD5 hash: 34364aade94749f63ea3ec96497d1924
humanhash: alaska-double-seven-fish
File name:LKM-STI-00012.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:528'896 bytes
First seen:2020-07-07 08:23:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:2qOvHDE2rlT7F1QU+BHtCOMrQOqma7Yv1zcxFLvzj:vOiU+xBMsOdQYvVc7
Threatray 5'592 similar samples on MalwareBazaar
TLSH A3B49E7171219ED7C93E0DF0A00328428FB52EA7296DE2DF6CC670E645FABD04A46977
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: 3sapparel.co.141.90.111.in-addr.arpa
Sending IP: 111.90.141.26
From: TRUNG VIET IMPORT & EXPORT CO., LTD. <patbonnantakui@gmail.com>
Subject: INQUIRY FROM TRUNG VIET IMPORT & EXPORT CO.LTD.
Attachment: 138018.rar (contains "LKM-STI-00012.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22043/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Possible injection to a system process
Forced shutdown of a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1fbc7054235d4485a668fd7da82d4dd71e9c0b387c3214c9a593213634a5fd2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 02:35:19 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h54obkcgxkeqwtgr7l5vawu3vy6tqftq7bscte2lezbgy2kl7ja._file
Verdict:
malicious
Similar samples:
33f00dc2af9dacecce6b63438a089cbc245fad566b7533ddf5fffb51c6b3db09
FormBook
3ece5a48adfb70192e45d9cd0e0236bbd95873ac53c9bc8f7f79a62259a848a0
FormBook
54b13451934452d59e08b8d8d07d28259264149ef5dde0a3ee57a948aad8d7a0
FormBook
70ec219c395c643882ed26e21757a273a3ca5072b54934c8cbe17cb6809b31eb
FormBook
841b9682f1bcb94cc4c510c2564791004f3d1c26ae764c42c145fe16ab093901
FormBook
b9a6dd35f9ca163d4e76a25d642ca7a580272ea7886a6a639273ac5b732e9f8c
FormBook
cdf43e36edf4aaa17906bf552cd65351d9b6e66a77356f91cd819874cf531e03
FormBook
d63293a1c8b19e0a042d92655ffa095412af2804a2523b31cfeb4e11e1fb772a
FormBook
e50f294da86ca74a28ab00ef44e48d7c0374f4a33e2ed436f9a4ed4e6a01e9b9
FormBook
f9fd67b28fd985eb062137c47d008ee299099dc5adf63168470603ba635a286d
FormBook
+ 5'582 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:formbook
Link:
https://tria.ge/reports/200707-b2ql8x5kza/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
System policy modification
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Reads user/profile data of web browsers
Adds Run entry to policy start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar c5a2e66ff48e7d448edb5fc2cfcb086bbccf73aa66e7af29d6bbbe9d40bd8162

FormBook

Executable exe d1fbc7054235d4485a668fd7da82d4dd71e9c0b387c3214c9a593213634a5fd2

(this sample)

  
Dropped by
MD5 2ef9a4d03dc182b0968d296dc50523bb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22043/
  
Dropped by
SHA256 c5a2e66ff48e7d448edb5fc2cfcb086bbccf73aa66e7af29d6bbbe9d40bd8162

Comments