MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 019d66a867b6b5e15b41453877f08a68fcedc98616782791e34fa4cd40f8e2b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 019d66a867b6b5e15b41453877f08a68fcedc98616782791e34fa4cd40f8e2b6
SHA3-384 hash: 84a14a1e7cb0faef6ba31a009accf4857e84dc84845a8765be11f5e2c11984bca8a6a5e42123cf702c23fc5f5d255ef8
SHA1 hash: 39d16cf35c94e95c020efb16312fe8543114b81d
MD5 hash: 4539d09c6139fbe652461a13ebb5aa18
humanhash: sweet-alanine-massachusetts-cold
File name:New package found at your local post office.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:534'016 bytes
First seen:2020-06-12 07:51:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:U4aSTZnjhg/LSDqrJBO8U2GAnLRZ8PFGywTW/jtYIeA3nLQ3ZGSpzAlg7:yoZySD0zGAnswTxw3nLQ3ZGSWg
Threatray 5'228 similar samples on MalwareBazaar
TLSH 5BB4D4457A43637FC4AEEB317ED05C34A71C69DF22FA81CAD0372A5865ED2928F0056E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: box.muaebnk.com
Sending IP: 167.172.61.5
From: Package Trackr <tracer@muaebnk.com>
Reply-To: <tracer@muaebnk.com>
Subject: Your package just arrived - schedule your delivery time
Attachment: New package found at your local post office.img (contains "New package found at your local post office.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9973/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EMHL.24330.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 00:39:23 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=agownkdhw226cw2biu4hp4eknd6o3smgcz4cpepdj6sm2qhy4k3a._file
Verdict:
malicious
Similar samples:
30bbf2043054b92e495bbd55f67e43b8eafce430bf31d8aaa4899385e503cdbe
FormBook
3e98d7f59e495ddfa5140a50f70347bb4a56296ca2dcb6602f65ebb4e4a0373b
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
cbbc3af13a3cc33ff5dffb137c7276dd246f9b9a696de51d6858461e986d4ebd
FormBook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
FormBook
d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e
FormBook
dea5303370177b621cdd1fd497396ddaa9e94d3edd1407339f52f0dc85a67046
FormBook
ec3275973764fa95e7fd95628318c58c9731eeaf4a530f80e954330e8de52e6f
FormBook
+ 5'218 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-9jawy54h4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.vinoblay.com/wkx/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 2fd632f3dd29f3599171af82f20e8ff3f93e8d4b6df78ce6b5a14309d04c0e01

FormBook

Executable exe 019d66a867b6b5e15b41453877f08a68fcedc98616782791e34fa4cd40f8e2b6

(this sample)

  
Dropped by
MD5 89e905241c95e34ba51be026d5bbcfa8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2fd632f3dd29f3599171af82f20e8ff3f93e8d4b6df78ce6b5a14309d04c0e01
Cape
Cape
https://www.capesandbox.com/analysis/9973/

Comments