MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719
SHA3-384 hash: 543c529f1214b7922f23b864bb4a05173716ebad08d2037746e5ea11c36530a1ad72c50a29c04b17fd2c3fac3c029672
SHA1 hash: a88f5b2d7f7c9c9c1f015ed7c659656fa752df02
MD5 hash: b6076c3f3c090e88a79b3ab2398cb2a5
humanhash: east-double-leopard-oranges
File name:Pfz2O0m5k-july2020-RFQ.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:404'480 bytes
First seen:2020-07-13 06:19:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:0JgoHnAexxphmSdlPohQqJCKYqSudu6mJN/:6P3dJcQqnQ8uLJt
Threatray 5'453 similar samples on MalwareBazaar
TLSH 4E841323A13CC2E2FC9D3DB02E184725DABA2E928635E087DA4FBDC5E873613C1456D5
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: dlveltex.co
Sending IP: 111.90.145.49
From: EVERSENDAI GLOBLE COMPANY <ge13968@hibox.hinet.net>
Reply-To: ge13968@hibox.hinet.net
Subject: Re: P0 (2020)-2790 new orderJuly2020
Attachment: Pfz2O0m5k-july2020-RFQ.rar (contains "Pfz2O0m5k-july2020-RFQ.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24964/
Detection(s):
SecuriteInfo.com.LuheFihaA.13156.32353.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Possible injection to a system process
Unauthorized injection to a system process
Deleting of the original file
Unauthorized injection to a browser process
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719/
Threat name:
ByteCode-MSIL.Trojan.Swotter
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 06:21:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cuqmdfuaize5ljdfuiadarrbafepodkq5etdmyyaefgovhxrk4mq._file
Verdict:
malicious
Similar samples:
1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1
FormBook
21813f583f972f9c4e699983357c38a32f9a42821db9dad54affd80aefd89967
FormBook
32299b31508d3573355dbee08ac526382cd90fbe5026335c5f8917ab34c02177
FormBook
3b13bf8c3de862a6914cf5a9eb0539e0046faf3e62e7d2f0fb63001e8dd2b5a3
FormBook
420541ff7ab7f97d2110f9c2f2488087c0d2f9e577fa5e55c73eebf4f5416bbc
FormBook
5b982bb28bff9233140d835bd34cb4a0ef043e2304a8ce2a934e546c1db1c475
FormBook
aa8c8d0ec55c08d2adb88281098498992f2c415464626548c882cf7b59c54ed7
FormBook
ae2e068d752e118448126ec85e5cf8d8e348113c7fbed24259c711bc8eb82ef8
FormBook
deb000698f0c002307d6afbb61195804c955ae5b1141a1a1657ce0c5c1911e98
FormBook
f20b3dc32d42f2f1a64414b5932cc0cb7baf99356445a770a80bf7bed7e144a8
FormBook
+ 5'443 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200713-9mssbt2qk6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar bb22f5771789c3eb9c2577dbbe1f6b942845b7a7c3bd0b8e6c11e54827d909f0

FormBook

Executable exe 1520c196804649d5a465a2003046210148f70d50e926366300214cea9ef15719

(this sample)

  
Dropped by
MD5 81ba1306edf5e661f7db17e62979940c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bb22f5771789c3eb9c2577dbbe1f6b942845b7a7c3bd0b8e6c11e54827d909f0
Cape
Cape
https://www.capesandbox.com/analysis/24964/

Comments