MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72
SHA3-384 hash: 8215fbb3dce02ace8db325bcc8adc364240ed3db80edf5d9813f05675296da1903ff13876af822621415fe995237b0a2
SHA1 hash: ffe1636aa203450e069146e8bb37a651dfeb85b6
MD5 hash: c283a8ac2f353078f965d522d810b43c
humanhash: colorado-tennis-arkansas-arkansas
File name:invoic.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:367'104 bytes
First seen:2020-12-18 09:47:42 UTC
Last seen:2020-12-18 11:34:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dbf475948377ff2dae92a6f9df430413 (1 x Formbook)
ssdeep 6144:QMqzJOARr6Pt/pFlFAckGr58PO43v7CFcOq0wtUI7OaWVfo63S66FaFletdUI:QMq9OZ/przb9yOkv7Bh9tCaaApFKkf1
Threatray 3'220 similar samples on MalwareBazaar
TLSH BB74386D3EA1F54AF56284B9BE44D6EE68193B71281D48037CC03F177CA05ECDEA6E06
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.lloydsbritishinternational.com
Sending IP: 77.68.11.234
From: sales1@mutamin.com.tr
Reply-To: dukeslain@gmail.com
Subject: REMITTANCE INVOICE
Attachment: invoic.rar (contains "invoic.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoic.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 09:58:44 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/f94501b6-7d30-4b2c-aec8-95156d1e708b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108371/
Detection(s):
SecuriteInfo.com.ArtemisC283A8AC2F35.23452.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending a UDP request
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566185
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332176 Sample: invoic.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 100 34 www.lookoutwineclub.com 2->34 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Yara detected FormBook 2->42 44 2 other signatures 2->44 11 invoic.exe 2->11         started        signatures3 process4 signatures5 52 Maps a DLL or memory area into another process 11->52 54 Tries to detect virtualization through RDTSC time measurements 11->54 14 invoic.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 28 worldwidetrafficker.com 217.182.121.225, 49745, 80 OVHFR France 17->28 30 neothecode.com 34.102.136.180, 49749, 80 GOOGLEUS United States 17->30 32 6 other IPs or domains 17->32 36 System process connects to network (likely due to code injection or exploit) 17->36 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 09:48:07 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4woz3hfj4dd53xvjvfhq3kyk4e33nj3ctgn23ytnwnnrzi26d5za._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
086d2a6e11da6e37ab46eb8d75c2eeb3d4aa825001be71e1e109b4578e5a321c
Formbook
2d5d89747431e9003471e77e757e6c2d3310cbcac7451c1bb8389d0744543e6f
Formbook
2f28bd2f3a4cc60e79d788f54365946926716720bc1c636ea5284bb02b952613
Formbook
2f7928f55bdc7b386f2163c027d9ac29cf2cee2dd29b54fee39f18bc8db8344b
Formbook
350e219c13047857943a54ec0f55a0db19e2980cbff9d73f1aea34b9bd0b17de
Formbook
3809041ce9fcb7f00674e65db2fd63f94373df583d6e3e869943aeb08b34ad28
Formbook
8df5752017d7f083ddad62b8423ea7109c830dbcdca3fff0ee7aee8d149fdeda
Formbook
c59292352ccbebbc63ea3c740a7981594b6e8dbea866e1c1c8f66b0a0aa61eba
Formbook
cd1cf9ec6f4414bc33e3e18485e72af68252f3a765a585fe383214372797f41c
Formbook
e34426ec0d12a3acde221f2a5e5476528e028c1fc980a7c2d35dcfdde9caccab
Formbook
+ 3'210 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201218-1e77twjybj/
Behaviour
Modifies registry class
Suspicious use of UnmapMainImage
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.helpmeiminmytwenties.com/oncs/
Unpacked files
SH256 hash:
60a5a0a5e8e2c85b6beee7fdac3607aed077a623c0ef5cb41d083b0dfcbfc7e2
MD5 hash:
c5ba80289ae16c76a61567620124a3bf
SHA1 hash:
60b68f19c2af12f1cddd8cbcf66ffba481939a81
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/c5dccfe8-9414-4bdc-bf8a-bab7d883fd20/
SH256 hash:
e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72
MD5 hash:
c283a8ac2f353078f965d522d810b43c
SHA1 hash:
ffe1636aa203450e069146e8bb37a651dfeb85b6
Link:
https://www.unpac.me/results/c5dccfe8-9414-4bdc-bf8a-bab7d883fd20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar b23e540d272f39f79b911e5015c55e9ec7d588ddf1128d92400fae539fd32e85

Formbook

Executable exe e59d9d9ca9e0c7dddea9a94f0dab0ae137b6a762999bade26db35b1ca35e1f72

(this sample)

  
Dropped by
MD5 0584c60446d5cbebf534618e716d9885
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b23e540d272f39f79b911e5015c55e9ec7d588ddf1128d92400fae539fd32e85
Cape
Cape
https://www.capesandbox.com/analysis/108371/

Comments