MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6
SHA3-384 hash: 1a9d68aa488c2c79bbbdc95294e8aedf33006fadaea07f66ea5ae13aec82aab54fd34d0c405f6f5e6d0377d489b8e9e4
SHA1 hash: 829507fe6e8ee81df622f9cbd7687357539143e1
MD5 hash: 5648ba0fc4c319ecd06016f6c172e911
humanhash: rugby-cup-blue-hydrogen
File name:Scan2272020 pdf.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:872'448 bytes
First seen:2020-07-22 08:51:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:EQ/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAl+fE02y6ax3prABZ+b:HaaFabDs7btHlttqwmFfE03Fpc3+b
Threatray 5'104 similar samples on MalwareBazaar
TLSH AD059E66F1934833C562DA3C8C5BB6789C3AB9111A197A466BF40F8C9F3E64338352D7
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.example.com
Sending IP: 103.133.110.22
From: Stocks-Tandel's <stocks@tandels.com> <admin@motonina.ml>
Subject: MISTAKE ON DUE PAYMENT DATE
Attachment: Scan2272020 pdf.iMG (contains "Scan2272020 pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30971/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394766
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249788 Sample: Scan2272020 pdf.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 53 www.sulicet.com 2->53 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 7 other signatures 2->67 11 Scan2272020 pdf.exe 2->11         started        signatures3 process4 signatures5 85 Maps a DLL or memory area into another process 11->85 14 Scan2272020 pdf.exe 11->14         started        process6 signatures7 87 Modifies the context of a thread in another process (thread injection) 14->87 89 Maps a DLL or memory area into another process 14->89 91 Sample uses process hollowing technique 14->91 93 Queues an APC in another process (thread injection) 14->93 17 explorer.exe 1 6 14->17 injected process8 dnsIp9 47 www.906zy.com 121.37.167.83, 49717, 80 HWCSNETHuaweiCloudServicedatacenterCN China 17->47 49 katomaviation.com 65.39.193.60, 49718, 49719, 49720 COGECO-PEER1CA Canada 17->49 51 3 other IPs or domains 17->51 39 C:\Users\user\AppData\...\audiodguv9l_.exe, PE32 17->39 dropped 69 System process connects to network (likely due to code injection or exploit) 17->69 71 Benign windows process drops PE files 17->71 22 WWAHost.exe 1 18 17->22         started        26 audiodguv9l_.exe 17->26         started        28 raserver.exe 17->28         started        30 autoconv.exe 17->30         started        file10 signatures11 process12 file13 41 C:\Users\user\AppData\...\65Plogrv.ini, data 22->41 dropped 43 C:\Users\user\AppData\...\65Plogri.ini, data 22->43 dropped 45 C:\Users\user\AppData\...\65Plogrf.ini, data 22->45 dropped 73 Detected FormBook malware 22->73 75 Tries to steal Mail credentials (via file access) 22->75 77 Tries to harvest and steal browser information (history, passwords, etc) 22->77 79 Modifies the context of a thread in another process (thread injection) 22->79 32 cmd.exe 1 22->32         started        81 Maps a DLL or memory area into another process 26->81 34 audiodguv9l_.exe 26->34         started        83 Tries to detect virtualization through RDTSC time measurements 28->83 signatures14 process15 signatures16 37 conhost.exe 32->37         started        55 Modifies the context of a thread in another process (thread injection) 34->55 57 Maps a DLL or memory area into another process 34->57 59 Sample uses process hollowing technique 34->59 process17
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:53:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=43pj5bvuoamecedfbr33jb3znkh3e7lhuyfz4dfhuej567xp3xta._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0951d8c7c31922177bfac1849388cf7e947d6e51ccbf936c7edd1e6d7c44da9d
FormBook
0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
FormBook
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
FormBook
344d949f94b4420c0cd7772fa786e17059d5599df223a93ef999ea2c663ad8be
FormBook
34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153
FormBook
45024576e848c50c9199cbfe61462e11551ec6ce99cb7ca39ae929dc77aa348f
FormBook
5ea463243b051351c219469515fb9b39d01c5c3c4f4698bd6164e36070622d35
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
897c29c75ae58e4057c0d32c3704469a7ecfa4878f5d0c60ad8abe2fa821b0b0
FormBook
b9cd83c667b694ec10f884183b138beeb0f986a7d3c50af463535852f2fa0663
FormBook
+ 5'094 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:formbook persistence evasion
Link:
https://tria.ge/reports/200722-12mbgnavwa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Adds policy Run key to start application
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 73c6b5d079631f5333cf83d080e70cb3b69262d7994596be9dc3deb28b7ae507

FormBook

Executable exe e6de9e86b470184110650c77b487796a8fb27d67a60b9e0ca7a113df7eefdde6

(this sample)

  
Dropped by
MD5 512be8787c7bdcd7ac3f6119faf789b5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30971/
  
Dropped by
SHA256 73c6b5d079631f5333cf83d080e70cb3b69262d7994596be9dc3deb28b7ae507

Comments