MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a24de6dc7649dec6421707d17740a28c2e6bc292206f585713c6ff17e7f6112. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a24de6dc7649dec6421707d17740a28c2e6bc292206f585713c6ff17e7f6112
SHA3-384 hash: 56690b4625861d37b541fb5602f5785d5b8e4c96ca119bf7e02309f1bbdfc3f6daa760440e952ce8bf2844bef594298f
SHA1 hash: 0c959721979ea719943242e873322e5fc05c118d
MD5 hash: dd4c8f34f263b8489a1d2052759134db
humanhash: freddie-arkansas-uncle-october
File name:PO & SAMPLES 9-1009-GRGS 403.2MT STR20 MIX.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:399'360 bytes
First seen:2020-08-18 13:27:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DmA8jq5nekzy50g8UL/K/V5a3Hqggg4EcmZHAFaxmVmie9bngP:kjq5ned0g8U0kHqgF4EcmZHAFaxmVmi7
Threatray 2'240 similar samples on MalwareBazaar
TLSH 2984D06C31E4A061F2F5ABB57C706D1803AE770A9522DE1F0E9175A947F2BE0A807F17
Reporter abuse_ch
Tags:Endurance exe FormBook


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 162-241-214-233.unifiedlayer.com
Sending IP: 162.241.214.233
From: Eunji Kwon (Ms.) <juhanlee90@hec.co.kr>
Subject: Request for Quotation for PO 9-1009-GRGS 403.2MT STR20 MIX
Attachment: PO SAMPLES 9-1009-GRGS 403.2MT STR20 MIX.rar (contains "PO & SAMPLES 9-1009-GRGS 403.2MT STR20 MIX.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47932/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a24de6dc7649dec6421707d17740a28c2e6bc292206f585713c6ff17e7f6112/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 12:33:23 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bisn43ohmso6yzbbob6ro5akfdbonpbjeidplblrhrx7c7t7meja._file
Verdict:
malicious
Similar samples:
14bbd0cd681c1501f814ac5e7a4dc9b627bf410990edc77cf10ada83cd106d94
Formbook
172842029f8937753e79843e36fcb4715c0f3a9de4b256585847df48caf8e10f
Formbook
27cbd2139f326adf45adefa425f7295af578ac5d9ecceab36da74c5af53def1f
Formbook
4a6187dd467be22cbd3eab6807d368c37535c488af22442498423da8124f35fa
Formbook
5620eaea502dcc3bc31e10dc48478022f518a15956a4b6565c454dd062859eff
Formbook
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
Formbook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
Formbook
9bf2e6afa0656c8129746c95784146ba85f15ecf46081644192e5bbfd5899144
Formbook
d3664113994262962936ebe74d0355986970def0cd0bcdcf088fe102047df9ba
Formbook
e0ea939ef71c66995928e05178d2cb87196135a26498cbe23c1c70b515aeacc0
Formbook
+ 2'230 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook
Link:
https://tria.ge/reports/200818-rfv1bfvn5e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.flekcht.com/fsj/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a24de6dc7649dec6421707d17740a28c2e6bc292206f585713c6ff17e7f6112

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar f01e62d69c389fb8a14ad92459a800377a38a33967392f65af127975adf0e256

Formbook

Executable exe 0a24de6dc7649dec6421707d17740a28c2e6bc292206f585713c6ff17e7f6112

(this sample)

  
Dropped by
MD5 4261464dcbf3df950e538a9851cf9d4f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47932/
  
Dropped by
SHA256 f01e62d69c389fb8a14ad92459a800377a38a33967392f65af127975adf0e256

Comments