MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1158faac2f05071553e63e40809ecdd0450934aa8e372728dcabf9cedbbb5ffa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1158faac2f05071553e63e40809ecdd0450934aa8e372728dcabf9cedbbb5ffa
SHA3-384 hash: 1172f0ab86ebc820f354d9fff6e50681260b439c5540d2b63f924a5218079e39c600aecb2bddf3108e6c393f70c53157
SHA1 hash: c71684f67cf0d0c0dcbcae4500f73d1932ea41f7
MD5 hash: 96a30558f4469401234772997919adc0
humanhash: coffee-six-indigo-maryland
File name:New Purchase Order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:332'288 bytes
First seen:2020-05-19 05:52:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:PBsYR7seRvsQRtFqRDQ+t9kD47uLrKA88N8DgD94:h+eKQ+kOY8lDgD9
Threatray 5'132 similar samples on MalwareBazaar
TLSH 3F64E10537F49F2AC5BEABF12861D0502372393775A2E71C6DE0A0CE3936F424A5676B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: WIN-4JVOGHKI1Z0
Sending IP: 103.133.110.105
From: Roman Cheremisin <admin@beoxies.ml>
Reply-To: mm1045725@gmail.com
Subject: RE New Purchase Order
Attachment: New Purchase Order.zip (contains "New Purchase Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 04:18:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cfmpvlbpaudrku7ghzaibhwn2bcqsnfkry3sokg4vp445w53l75a._file
Verdict:
malicious
Similar samples:
043ba161ac2f0d30c5a15799d3ce26ec63989d278f58867aeff64ce7ecb41f42
FormBook
1b4dea59e406d410a3d0d1ea8245c339fa8f5eb925f1378a09b0ee812c06508e
FormBook
27faaaca4acb955010d7b8c16764a536c04149f2d332f99668d6ff6f292bfc20
FormBook
42ef43d60efa3d2092f6d23283334bb8485569754eb1075b553be43cd8ed9c60
FormBook
50f8d8b5cbbad3f2a1d4a25b84553ba285f49318ab3dbb8d436b6709582997e8
FormBook
95fd3400d70565e8bd28da81374df780073cd2762b922059b26150a560c6aba0
FormBook
99d9cdc246bf28881b009ae71b1611c83397b23b5adf5b3746f51a5a2903ec24
FormBook
a119b8bd8e1427830ac76a7649318c0b2e9deb263b6c5e4ea0290c558d159b13
FormBook
b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b
FormBook
eded02bf0afea18ebbcaa7682ad7f3d1215b064cd2a3185f230b87195ef85218
FormBook
+ 5'122 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook coreentity rat rezer0 spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-y8tew4a1jj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
rezer0
CoreEntity .NET Packer
Formbook
Malware Config
C2 Extraction:
http://www.slacktracks.info/y22/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip 44f37e5635bafb5b1ef855fbf71e9eb0d4ff713745227ed35e3aef03d57b94c3

FormBook

Executable exe 1158faac2f05071553e63e40809ecdd0450934aa8e372728dcabf9cedbbb5ffa

(this sample)

  
Dropped by
MD5 8c7b8a8103b12c095296e44c16834791
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 44f37e5635bafb5b1ef855fbf71e9eb0d4ff713745227ed35e3aef03d57b94c3

Comments