MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa
SHA3-384 hash: 862364585a456b2323b9dc5d8318e8299746268ec431b662b1aabca9e069598255d3aa03b9dfce23a2717223ec6abf34
SHA1 hash: bb8ad3f32a9cf563398aa038b96b459f3d2c86a9
MD5 hash: fceab35122dc81cc00db00f29447b9c6
humanhash: low-green-maryland-twenty
File name:ORDEN RFQ07082020.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:216'368 bytes
First seen:2020-08-07 13:21:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:DiCsGB6pY42SPj/2UNepAPY4XXwo4pe8LXX1h:DYlpYpSPj/2UNzPYIXwo408LXX/
Threatray 5'062 similar samples on MalwareBazaar
TLSH 1A243A48E4884521F9BC25348929C95133F27DC2EEF4AF6C5BC9B406BBF25972C4D89E
Reporter abuse_ch
Tags:FormBook Hostwinds scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-752865.hostwindsdns.com
Sending IP: 104.168.164.165
From: Compras <compras@ventasinternacionales.com>
Reply-To: info@gaoperationse.com
Subject: ORDEN
Attachment: ORDEN RFQ07082020.Pdf.img (contains "ORDEN RFQ07082020.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41635/
Detection(s):
SecuriteInfo.com.Gen.NN.ZemsilF.34152.nm1@aa22kSk.28378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
DNS request
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/415286
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 259893 Sample: ORDEN RFQ07082020.scr Startdate: 07/08/2020 Architecture: WINDOWS Score: 100 34 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->34 36 www.mecidiyekahve.com 2->36 38 www.artisanal-wines.com 2->38 44 Malicious sample detected (through community Yara rule) 2->44 46 Yara detected FormBook 2->46 48 Binary contains a suspicious time stamp 2->48 50 Tries to detect virtualization through RDTSC time measurements 2->50 11 ORDEN RFQ07082020.exe 1 2->11         started        signatures3 52 Tries to resolve many domain names, but no domain seems valid 34->52 process4 signatures5 62 Injects a PE file into a foreign processes 11->62 14 ORDEN RFQ07082020.exe 11->14         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 17 explorer.exe 1 14->17 injected process8 dnsIp9 28 www.mage-cart.info 63.250.45.175, 49737, 80 NAMECHEAP-NETUS United States 17->28 30 www.underdecklifestyle.com 17->30 32 16 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 cmstp.exe 1 12 17->21         started        signatures10 42 Tries to resolve many domain names, but no domain seems valid 30->42 process11 signatures12 54 Tries to steal Mail credentials (via file access) 21->54 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 58 Modifies the context of a thread in another process (thread injection) 21->58 60 2 other signatures 21->60 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 13:23:09 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mkpigeptkonivgpijj456xcbkdaism27sxwdzsagh2c3nw4rova._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce
Formbook
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
Formbook
370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10
Formbook
4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a
Formbook
510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c
Formbook
68b06b7a02ddedc6cca5e2c9e2f91fe8374440ad93aa04e40a84cde5a76f8234
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
9963cb9f95312d222c99fac596b5bf02d81ace63ebde79c37e2312d3e2ecd32f
Formbook
d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
Formbook
f72897f4747769b169b5969fcde3b1b7ec92b79e0fb2e67a9d72650ac14c8d56
Formbook
+ 5'052 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200807-qkqr4d5msn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img b69b6e8be62d6efdc29d6a15198b5cc4751c715e7abab8b36bf7116920deb13b

Formbook

Executable exe db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa

(this sample)

  
Dropped by
MD5 44401d811b7efa776fd413bad006e3b9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41635/
  
Dropped by
SHA256 b69b6e8be62d6efdc29d6a15198b5cc4751c715e7abab8b36bf7116920deb13b

Comments