MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d
SHA3-384 hash: 43fe8323fcf2c34f4d9e23b2bb10f49382ced7da57ec857d51c4e32447487e81ca02245f6c63b185e451428b26f64cba
SHA1 hash: ad0484380e1acd9601c7366020951aab8cafc35c
MD5 hash: 9c31b792ade0143cf3ed165b3358ba5c
humanhash: fanta-oklahoma-coffee-papa
File name:PURCHASE ORDER 4093021.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:374'784 bytes
First seen:2020-07-03 06:43:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:CQpdNkesMa9uV8PnGvr2uVuSB8jLhw8wfDpvOd6VjJbjvfQj8c4QTh89b3nmeO:Ccde9uVQnCVVuSB8jLhw8sQdojXvbQTW
Threatray 5'163 similar samples on MalwareBazaar
TLSH A784D031625DBF98D1A8F674612212020C7A7D775613EB1E7C5F31EC18F2B848B66FA2
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: server.nova4x4.vn
Sending IP: 221.132.29.219
From: Joakim (MALIQUE CO LTD) <j.kim@malique.net>
Subject: Re: Purchase Order PO-4093021
Attachment: PURCHASE ORDER 4093021.gz (contains "PURCHASE ORDER 4093021.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18640/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 02:27:26 UTC
AV detection:
32 of 48 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cznaq2aukhwmplkyhwl3vs6ejgzbtj7khwvagvpsy56rted2dugq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0d567b16454b8c3be5e7dbc796bf7049c0eb18ba9a625d6b5f45eff7202aaf70
FormBook
22f4207de77f987b6791843539e25e05ff3f6c010e805330210399e23c323b87
FormBook
51d3cb67de439aca2814ae5eda56dc730fc590ed7353aba47febc451c740f501
FormBook
5767bcddaf9404e411f25e457d8af27eeefa15515f415e901b6e7412708e5209
FormBook
8509ca4c5f81525eb6f300294703c9c66af0369374bc064ac024c9dae62c7092
FormBook
b881e52663ba0b4af029f185d0ff8b16c7e77f253df90a489e46b67e44c3c20f
FormBook
c2d515e9dd5705196004ff3a32c774ac254b80d3fe97d6d8619c0468ef6ecabf
FormBook
ca3ab25a8c3213aa08113b09cc4b60df1d2c440aeb0e02c1e3bd192a57f86208
FormBook
d6330004986cb2968200bad58cb3f1135e2383d9bdf6894feff0f28f952f4c2b
FormBook
fff1c46e62b2f3a4e202e05aebfc1e7d72b8b3c540912fe18f4b97dc4ab50e55
FormBook
+ 5'153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200703-hmccc28atj/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

gz f8dd3c1903608973a85d0fed82ec9129d1f0a248436a3fd60034f7183efc225f

FormBook

Executable exe 165a08681451ecc7ad583d97bacbc449b219a7ea3daa0355f2c77d19907a1d0d

(this sample)

  
Dropped by
MD5 e2163110827c07f756a123af277f9bbb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f8dd3c1903608973a85d0fed82ec9129d1f0a248436a3fd60034f7183efc225f
Cape
Cape
https://www.capesandbox.com/analysis/18640/

Comments