MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a18c476254735864b8ab07e5223bb310207954cce179c4b773345d73247113f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a18c476254735864b8ab07e5223bb310207954cce179c4b773345d73247113f
SHA3-384 hash: 173db5bf0b0f6643c56d612ba7902c8fa382e05a22093e17a3e29cd35cb48d7c20167261236855e0640e10312c3183d0
SHA1 hash: 98ad5f218d3c80f96c3897fa21be18c0b7bc922f
MD5 hash: ebb78f339614e543c893e76df4327ab4
humanhash: kilo-white-spring-mississippi
File name:E1ag4YEaCTFwVZi.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:307'200 bytes
First seen:2020-06-12 08:34:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:3B0M0rWLSbtzUReeZxE2AuOLZaRGT0GL03hoiDLuvdtjYZDVuvd7w:3B0MkWLoN6EVzLZAYoy5vdtjYZDVuvdU
Threatray 5'124 similar samples on MalwareBazaar
TLSH CC64E18C37A0B2EFC82BC9729DA45C20E671B57A9707D317B44716AD994E5A7CF200F2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: engpaper.com
Sending IP: 107.174.142.107
From: Erica Ramosa <guru1@engpaper.com>
Subject: Fwd: Payment advice-BFTI_EFT7602019123014010054_18_760
Attachment: Bank Credit.Gz (contains "E1ag4YEaCTFwVZi.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10003/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.8252.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 07:53:33 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bimmi5rfi42yms4kwb7fei53gebapfkmzylzys3xgnc5omshce7q._file
Verdict:
malicious
Similar samples:
3a65203b683e8f50436aed7a76531617e566c4363ca795885683479e4a3430b6
FormBook
46d500e1f512e941b4c282d92908fb244439bede7a604381f761823d66f8ba2f
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
a658844624b4f1c5dd792ba527d7f04945aac9be928febf34813b3028deaf0da
FormBook
b1809788389e6fbab24abc12b306b2cd4d88a59b983b5a469a63d923e572fa6b
FormBook
b42bb3af52ae6b9fc8dd890fea86abad727db5ae0647217d2f5f2035bc5c2c7b
FormBook
cd120b25b52e7720424139783c7b18f496b07f5bd8f3d4c52ea8b149318da5de
FormBook
d571629d266c5354146cdfe698d79c88c33e598aa6c8d9a0587662c6b5421ed2
FormBook
f62545db6d573b7145c40ce57f9d85eafaa9ffd95923178d29a02845def94b0c
FormBook
feb3b84e0ea9e1c3522e9a3258f8578ffe461a43ce41920d6b41fa19520ac7a2
FormBook
+ 5'114 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-8beww4yyb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.spatren.com/k0f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fbff5da12c498842804b6018096e3f14

FormBook

Executable exe 0a18c476254735864b8ab07e5223bb310207954cce179c4b773345d73247113f

(this sample)

  
Dropped by
MD5 fbff5da12c498842804b6018096e3f14
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/10003/

Comments