MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 13
| SHA256 hash: | e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42 |
|---|---|
| SHA3-384 hash: | 816bc5f0fc87b09285833aacbb62b045d43d2f9d6fbf7d94f0c9628cfe5b81079b6a85150bbc678cef1c6e983d78b0d2 |
| SHA1 hash: | 816c8aea265cc8084bb5d9a5ad954eb295178524 |
| MD5 hash: | f55d280858080efac6e84da67a284d75 |
| humanhash: | oxygen-green-april-johnny |
| File name: | LOI.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 828'416 bytes |
| First seen: | 2021-01-12 18:04:32 UTC |
| Last seen: | 2021-01-12 19:49:11 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:L4RZ7id5BvOw3sH28BY90jIuoYFRCIw2CiHHb8BfbmfJDJLhmoX5elo:Ek8W8M0jpFRC14b6bmfJDlEoQ |
| Threatray | 3'345 similar samples on MalwareBazaar |
| TLSH | C5056A509F91A710D3BD67BD6021006127F2E76BE3F8E79CEE5060B65F22A2445FE392 |
| Reporter |  abuse_ch |
| Tags: | exe FormBook |
abuse_ch
Malspam distributing Formbook:HELO: lo.logicstate.live
Sending IP: 45.95.168.166
From: Mansour Behnampour <info@parshavayealborz.com>
Subject: Purchase Intent
Attachment: LOI.pdf.z (contains "LOI.exe")
Intelligence
File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LOI.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 18:21:42 UTC
Tags:
trojan formbook stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching cmd.exe command interpreter
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Detection:
formbook
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2021-01-12 16:39:12 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 3'335 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook evasion rat spyware stealer trojan
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Looks for VMWare Tools registry key
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Malware Config
C2 Extraction:
http://www.fenhouses.com/nhk9/
Unpacked files
SH256 hash:
e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42
MD5 hash:
f55d280858080efac6e84da67a284d75
SHA1 hash:
816c8aea265cc8084bb5d9a5ad954eb295178524
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
SH256 hash:
30570cfb650f302af60a49151ad1c2608bc8382df59f1a7248068a07ef7a5902
MD5 hash:
34b6e1464a4227ee5cf0950f29a1827f
SHA1 hash:
d7ca08c482a9c980840454e2ffae4f953d0b70a1
SH256 hash:
657647773a5452c47471f0ba5f6304078786f3f4863c4f0eb2d954490ea12168
MD5 hash:
a989dff3bd8d279fa9355c37f060d292
SHA1 hash:
e1e7b9f758ca9873690c6d92c0d23ac11fcd326d
Detections:
win_formbook_g0
win_formbook_auto
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.