MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1be61c2f6e006dc35f4d81b2797d967d2a4ff04f854679d334abf13ceec8c508. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	1be61c2f6e006dc35f4d81b2797d967d2a4ff04f854679d334abf13ceec8c508
SHA3-384 hash:	12552bba24faf0868f62d6467a18cb6191dbd15f7a823477f0f890befa866fae40621c3890aca3b5f3a74be1052fdb44
SHA1 hash:	83354f5b874a5fdf780a7b836ce9c070f17e01a5
MD5 hash:	107aea291925310a422d35024f8a2c79
humanhash:	autumn-solar-princess-river
File name:	Order 1.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	327'680 bytes
First seen:	2020-05-26 08:14:08 UTC
Last seen:	2020-05-26 08:16:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	025dfd9775e9f374b8320b687fe4b979 (6 x FormBook)
ssdeep	6144:iGl1k3E9e/sj8/cdbnklRkZMGBcjXy1/8XDzdkD:ih3X/08UdbnklRfEcjXyd8zzdkD
Threatray	5'094 similar samples on MalwareBazaar
TLSH	1164BF22E9288A3CC93F54B67DC7CDA6CDD649E3105F5CA6D658C522C92CBC25C9323B
Reporter	abuse_ch
Tags:	exe FormBook geo THA

abuse_ch

Malspam distributing Formbook:

HELO: joister.net
Sending IP: 103.2.236.240
From: aftab@joister.net
Subject: โปรดดูคำสั่งของเราและเสนอราคา
Attachment: Order 1.exe

Intelligence

File Origin

# of uploads :

2

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Noon

Status:

Malicious

First seen:

2020-05-26 05:08:00 UTC

File Type:

PE (Exe)

Extracted files:

7

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Verdict:

malicious

Label(s):

trickbot

emotet

Similar samples:

006bb451c7207fa375e67a1684a97136a46beea1ff74e193eb4bbf6665a0ec9b

179043e8eb7c06144c67f58b2c2900ad10303862c0e5cd7e1fe5a4faf853f103

1acd132956421229e7c8fabb1001381956ff135d042b339f2871763498896d9e

51f4e86285f8cb8a14a0d456beed9f15882e4ec7813bc24ff4c20a2389d1ccd0

52f217cdebe83217297bedc352fac2e475e293e6cad52a1335b3641eeb8c412b

6dcf4557563343e881daf4b7d7b01e372457cee637ac001a1102a2e67a69cbf8

72c019880ad2656f877ae76590ac447287c3ce5805e91097316fdc1e5b6645f2

9daa8e87928b88143b9482b989764524754c86d142027ccaad1fc452f52c1765

9e594cbc1aeadc0f9cf66b2af98f4f4ace29deaccd67529cd3da1d44e2d50ccf

d4405060b30fab298c2747fc58ec301dfa160be2df3e335a78900fac044a2493

+ 5'084 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook rat spyware stealer trojan

Link:

https://tria.ge/reports/201109-6ch74vfkdx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

Malware Config

C2 Extraction:

http://www.binzom.com/uw7/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 1be61c2f6e006dc35f4d81b2797d967d2a4ff04f854679d334abf13ceec8c508

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample