MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be
SHA3-384 hash: 22e7516e756cc74dfdd9f7197196cfd5bb65aa6fc421f1fccaf8fde607cb908445324d4da828c5dc23a8b6178b3cc932
SHA1 hash: 3f31e36fe0a926eee06e7116d2056bb76fe064d3
MD5 hash: 8c0a529b08245146ca3bb3e13910f1a6
humanhash: green-pluto-eighteen-video
File name:Doc_90834975304342.pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:285'184 bytes
First seen:2020-07-21 12:13:53 UTC
Last seen:2020-07-21 12:54:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:31sNKtDY1SbqCb69auCkc7q65MvUg1xzsTDt6tIckMdet:31sNGYsbzb69aNeTA16uEe
Threatray 5'112 similar samples on MalwareBazaar
TLSH FC54120613E8B726DCAEC7FED8B2250227744711950AF39C0EA8546E34573854FD6BBB
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: business15-2.web-hosting.com
Sending IP: 162.213.253.12
From: Ryo SAKAI <info@aljawharapaints.com>
Subject: DC and UPS System / RFQ Issuance / Cut-off date : 2020-07-29 [TongYeong CCPP]
Attachment: Doc_90834975304342.pdf.img (contains "Doc_90834975304342.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30127/
Detection(s):
SecuriteInfo.com.Generic.mg.8c0a529b08245146.27630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/393112
Behaviour
Behavior Graph:
Download SVG
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 12:15:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jsb535r6yperod67x2fpreengyrdeughtskv6vggdiuy3g65g7a._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49
FormBook
4cb1215ffaab1feb117a9df705adb8b385ce4e345103da10e05438d0a6052791
FormBook
52b517b0e9be1efed3349ff5b7e7e4a392881437d7bc9ccd7b94bbc23e28a2f9
FormBook
5bd27386ef3a7ad330e244fc7db1624b950b4edf0bcec08e98ac58c9d5e7422d
FormBook
6b17c7fa9318e19b00115ee75af6c8ee3b811e7983ed96ae819461482834137e
FormBook
7f6459ace4d6259e61c8170563af8a30f25568457902f4f717c8ad17574efab6
FormBook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
FormBook
c0e1210ec3e11a5d71cdbf2edfb199539f891a1bdb27ccd97eaf0fb70891c615
FormBook
ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec
FormBook
f708f99bcb86bc017f5b34435a241cb77fa4bc4c37d47b85f1ecc43e9ddc365c
FormBook
+ 5'102 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200721-gs3gpvgqw6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
System policy modification
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 8b566a64d7c2d2ec5ed628cde96698433ba55e898829a147c16fc1a5042b59f9

FormBook

Executable exe d2641eefb1f61e48b87efdf457c48469b11192863ce4aafaa630d14c6cdee9be

(this sample)

  
Dropped by
MD5 8bdd3816ddc7411238a0e6420fab3a46
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30127/
  
Dropped by
SHA256 8b566a64d7c2d2ec5ed628cde96698433ba55e898829a147c16fc1a5042b59f9

Comments