MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5
SHA3-384 hash: 0da241654d88500f9df60fb76cdf5aba6437261706d145d3663081490030842b565c56e31ceb672a185667bb2755b06d
SHA1 hash: 3b042b49ac135f38824de3665a051a7631e98782
MD5 hash: f7ad3b59548788a59172b6477a1b83f0
humanhash: jersey-magnesium-hotel-triple
File name:Doc11.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:584'704 bytes
First seen:2020-09-22 09:44:55 UTC
Last seen:2020-09-22 11:22:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ECGb2I5hQeMda6UYZoqNh+8LzxdYlBxg/pngR7:tGbVxMWqVNtvxdYPxgg
Threatray 2'253 similar samples on MalwareBazaar
TLSH C8C4120F7348C617D2A5657AA06F0ABBB3F512931633E615CD0064EA14C6B81AF2F7B7
Reporter GovCERT_CH
Tags:FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/64350/
Detection(s):
SecuriteInfo.com.ArtemisF7AD3B595487.14283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Launching cmd.exe command interpreter
Setting browser functions hooks
Forced shutdown of a system process
Unauthorized injection to a system process
Unauthorized injection to a browser process
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/472209
Signature
Antivirus / Scanner detection for submitted sample
Creates an undocumented autostart registry key
Detected FormBook malware
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 288546 Sample: Doc11.exe Startdate: 22/09/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 3 other signatures 2->49 10 Doc11.exe 1 2->10         started        process3 file4 35 C:\Users\user\AppData\Local\...\Doc11.exe.log, ASCII 10->35 dropped 61 Writes to foreign memory regions 10->61 63 Maps a DLL or memory area into another process 10->63 14 RegAsm.exe 10->14         started        17 RegAsm.exe 10->17         started        signatures5 process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 19 explorer.exe 14->19 injected 73 Tries to detect virtualization through RDTSC time measurements 17->73 process8 dnsIp9 37 www.chelsescompass.com 45.207.122.153, 49722, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->37 39 cretanhandcarving.com 67.221.178.216, 80 NYINTERNETUS United States 19->39 41 3 other IPs or domains 19->41 51 System process connects to network (likely due to code injection or exploit) 19->51 23 cscript.exe 1 17 19->23         started        signatures10 process11 file12 31 C:\Users\user\AppData\...\7L8logrv.ini, data 23->31 dropped 33 C:\Users\user\AppData\...\7L8logri.ini, data 23->33 dropped 53 Detected FormBook malware 23->53 55 Creates an undocumented autostart registry key 23->55 57 Tries to steal Mail credentials (via file access) 23->57 59 4 other signatures 23->59 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-09-22 05:30:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ivawwysnb5ock47jvrf3avbmvrlzzpbwa5x243s344bhznpzdsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0de7b2b7c4e9974b9343de9666287a7137614cbcffc5f89932601b503712002a
FormBook
15af9bb36b7a51efea7ab70d98a29ef7059f4f5b7178fef0aaff0671bf6c9386
FormBook
4458df211fccf5c1d24b96ebb7b4191cc94edc0b0e13bbb80ae3919f015297d9
FormBook
4f90d42980450652ef19fe55ebea9e68683b4d29027900dcbeb5c26d298318fc
FormBook
52a3e59905cc8e33bc33223e1b55482b484c6e04d7795a7329946a77502e950d
FormBook
704e900ae3d5645795927711e8f35d8b424ffcbbc4535f71346ea0feafebf14a
FormBook
8aafecddd3b462d27c24000757496edb5c6bce1e6abff9157d5360457b0805d7
FormBook
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
FormBook
b2a437bec36856a90558f9f54873096e6d1324cf487cc265038dbe82e5b03788
FormBook
ef19177bdff9d49a09dd7010e58fd81029d5f8e2d54abb053575604c2fc219ed
FormBook
+ 2'243 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware trojan stealer family:formbook persistence
Link:
https://tria.ge/reports/200922-c6s7hwcxma/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.damcol.info/dfc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

7fad757b40d1dc9a65a66961110174c196e4b78a3967a54adfc82eb9af1d77e4

FormBook

Executable exe f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5

(this sample)

  
Dropped by
MD5 07370b65ae80543d52008067c0ff0fbd
  
Dropped by
SHA256 7fad757b40d1dc9a65a66961110174c196e4b78a3967a54adfc82eb9af1d77e4
  
Dropped by
FormBook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/64350/

Comments