MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7a3a92b790205c08f44ddc1dc7fef7e0c44e930e00582b9c21a6ba95a25439c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7a3a92b790205c08f44ddc1dc7fef7e0c44e930e00582b9c21a6ba95a25439c
SHA3-384 hash: fa9a0ab438c7b764798976aebc97d5141d6acfd8ef65b74fe68fbaadcc8e5a63b2736756953aa5ada0baa668305a1018
SHA1 hash: 7eee32e4dede5cf96f43f0c2f03a13a4af388b1b
MD5 hash: 7e3bab347cbbfe69878659d9c55c726e
humanhash: leopard-uncle-freddie-robert
File name:fHSx6OpaE6dTxT5.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:456'704 bytes
First seen:2020-08-05 09:08:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:h5P/EKxXyReJIZYFk97dRqmq1GeRfzgL:h5P/EKge0Yi7d4r1G
Threatray 5'313 similar samples on MalwareBazaar
TLSH 36A4AE6DF3449899F4261A3E8C76A4131D23FA1FDA2AC10F287A322D057735D68B6F47
Reporter abuse_ch
Tags:exe FormBook Hostwinds


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: hwsrv-759308.hostwindsdns.com
Sending IP: 104.168.213.29
From: Jackelyn Juarez Pita | Gerente Administrativa <info@crio.com>
Reply-To: Jackelyn Juarez Pita | Gerente Administrativa <info@crio.com>
Subject: Petrofac Project
Attachment: Petrofac.zip (contains "fHSx6OpaE6dTxT5.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39297/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/410731
Signature
Benign windows process drops PE files
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 257677 Sample: fHSx6OpaE6dTxT5.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 50 www.pyotrilyich.com 2->50 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected AntiVM_3 2->60 62 Yara detected FormBook 2->62 64 5 other signatures 2->64 11 fHSx6OpaE6dTxT5.exe 1 2->11         started        signatures3 process4 file5 48 C:\Users\user\...\fHSx6OpaE6dTxT5.exe.log, ASCII 11->48 dropped 88 Tries to detect virtualization through RDTSC time measurements 11->88 90 Injects a PE file into a foreign processes 11->90 92 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->92 15 fHSx6OpaE6dTxT5.exe 11->15         started        signatures6 process7 signatures8 94 Modifies the context of a thread in another process (thread injection) 15->94 96 Maps a DLL or memory area into another process 15->96 98 Sample uses process hollowing technique 15->98 100 Queues an APC in another process (thread injection) 15->100 18 explorer.exe 4 6 15->18 injected process9 dnsIp10 52 www.tromagy.com 63.250.41.73, 49741, 49742, 49743 NAMECHEAP-NETUS United States 18->52 54 www.hansardtracker.com 107.170.159.121, 49738, 49739, 49740 DIGITALOCEAN-ASNUS United States 18->54 56 4 other IPs or domains 18->56 42 C:\Users\user\AppData\...\services8p4.exe, PE32 18->42 dropped 72 System process connects to network (likely due to code injection or exploit) 18->72 74 Benign windows process drops PE files 18->74 23 WWAHost.exe 1 17 18->23         started        27 services8p4.exe 1 18->27         started        29 services8p4.exe 18->29         started        31 2 other processes 18->31 file11 signatures12 process13 file14 44 C:\Users\user\AppData\...\682logrv.ini, data 23->44 dropped 46 C:\Users\user\AppData\...\682logri.ini, data 23->46 dropped 76 Detected FormBook malware 23->76 78 Tries to steal Mail credentials (via file access) 23->78 80 Tries to harvest and steal browser information (history, passwords, etc) 23->80 86 2 other signatures 23->86 33 cmd.exe 1 23->33         started        82 Injects a PE file into a foreign processes 27->82 35 services8p4.exe 27->35         started        38 services8p4.exe 29->38         started        84 Tries to detect virtualization through RDTSC time measurements 31->84 signatures15 process16 signatures17 40 conhost.exe 33->40         started        66 Modifies the context of a thread in another process (thread injection) 35->66 68 Maps a DLL or memory area into another process 35->68 70 Sample uses process hollowing technique 35->70 process18
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e7a3a92b790205c08f44ddc1dc7fef7e0c44e930e00582b9c21a6ba95a25439c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 09:10:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46r2sk3zaic4bd2e3xa5y77ppygej2jq4acyfoocdjv2swrfiooa._file
Verdict:
malicious
Similar samples:
049a7c8bf4126088f12bcdbe2e1d5bbe5e341cfddda7959379c93a4036546200
FormBook
0b6acf8d9861c0c69b88b7a7bf1427c5245bbd968e96db1cdb08b8432442c729
FormBook
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
48759dee612da5c1b36dfe7ce569a64c3e6528210ca830993cba1996db55ea87
FormBook
5f6ecbe9757644eb46ceaef0b9e8354e63bab83b29bf47f4812c84beb08acb4f
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
9898e847968d9a38e9d33a618372ec13e726903761ea0787966ee82c737fd79f
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
e13acda03eb4829793beb5c0664d5752663b7ef5ae72b63724e7eaf189a9fec4
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
+ 5'303 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat evasion trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200805-5tqn51rmzn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7a3a92b790205c08f44ddc1dc7fef7e0c44e930e00582b9c21a6ba95a25439c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 4981456ac3eda0bbaab1c1869d6f5b75840a31638ced3933451f9e3d7fefe80e

FormBook

Executable exe e7a3a92b790205c08f44ddc1dc7fef7e0c44e930e00582b9c21a6ba95a25439c

(this sample)

  
Dropped by
MD5 4240af4996fe0f111238f292e7358d22
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39297/
  
Dropped by
SHA256 4981456ac3eda0bbaab1c1869d6f5b75840a31638ced3933451f9e3d7fefe80e

Comments