MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce
SHA3-384 hash: 7026bb524a802019b51630801f777f53757e65262c5b134873fb14eebf0d3d2c99ba55ac01991bab9e9409738fdad200
SHA1 hash: 8976890c7799f2b43d0f87d13e578971150a2601
MD5 hash: 58e5625ddd12f520189eb0e06e5bc08d
humanhash: ohio-helium-william-pip
File name:SCAN_PAYMENT ADVICE.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:194'240 bytes
First seen:2020-08-18 11:43:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:OXjFBmtgKWn6rNdeVTeHhu0ICGQXJXcNR1fVtuitjvM87SsZ780T1w+CdORMAbI8:OXjFBmtgKWn6rNdeVTeHhu0ICGQXJXcx
Threatray 2'238 similar samples on MalwareBazaar
TLSH D614950276407211D1A8317D83E69C5937B8ACFF4AE1980DCF857A9EF9B21E3685C6CD
Reporter abuse_ch
Tags:FormBook scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.africanfitness.pw
Sending IP: 161.129.65.69
From: Sales 3 <citrroen.gouws@naverl.com>
Reply-To: citrroen.gouws@gmail.com
Subject: Fwd:Payment Advice!
Attachment: SCAN_PAYMENT ADVICE.Pdf.img (contains "SCAN_PAYMENT ADVICE.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47752/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Sending an HTTP GET request
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 23:05:40 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=af53b3bf4m7x3px4vql3rpp4lsqzsv46bv5bizycodxpcx7yvpha._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
0f73e9d58b85ae9061722f0720ab2f76f9884042b9ac260e5c102564d4572004
Formbook
370293d95666a952ba140489c797e3c7d82a92cb400e360f7743075aee04ca10
Formbook
4cd679aa5f3ccf47e45a2600bbaedbbacb5e606035656b03172aed4aebe9973a
Formbook
510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c
Formbook
68b06b7a02ddedc6cca5e2c9e2f91fe8374440ad93aa04e40a84cde5a76f8234
Formbook
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
Formbook
9963cb9f95312d222c99fac596b5bf02d81ace63ebde79c37e2312d3e2ecd32f
Formbook
d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
Formbook
db14f4188f9a9cd454cf4253cefae20a8604499afcaf61e64031f42db6dc8baa
Formbook
f72897f4747769b169b5969fcde3b1b7ec92b79e0fb2e67a9d72650ac14c8d56
Formbook
+ 2'228 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat spyware persistence trojan stealer family:formbook
Link:
https://tria.ge/reports/200818-llzzzcndd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.mage-cart.info/d9s8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 9065217c8c054c16f631097a121808f540acbff955e88ba81270bb97b8ac2b65

Formbook

Executable exe 017bb0ec25e33f7dbefcac17b8bdfc5ca199579e0d7a14670270eef15ff8abce

(this sample)

  
Dropped by
MD5 50c6a199853a9de8e73aa764c66738f0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47752/
  
Dropped by
SHA256 9065217c8c054c16f631097a121808f540acbff955e88ba81270bb97b8ac2b65

Comments