MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c22bad3a6eb408ec1f4d6ef50b04e2294a77979abc411f9dbb752e2b495345b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c22bad3a6eb408ec1f4d6ef50b04e2294a77979abc411f9dbb752e2b495345b
SHA3-384 hash: a1ea10528def784c731abd2613916fcb28f91d6333d24cbde969acb879e53dc11563b585ceab4169bc37ffa88add89a3
SHA1 hash: 03b3d3d673686f0bd4316bd99c0a135e6e3250ba
MD5 hash: 9eda8430e6bf0bab3f1e7134b584cd1b
humanhash: steak-magnesium-purple-montana
File name:SMT20200616.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:318'976 bytes
First seen:2020-06-16 11:35:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:/n7X5LK4TU1QVRgzCLZClqpycn18qdfkR/TwE4GB/DxYtMzD/1:/n7k4TUs11Clql1BfkFk4NE+D/1
Threatray 4'835 similar samples on MalwareBazaar
TLSH 4B64011DB79C6726DA7D02BE94F1252503F4A9926523F70A7DC034BE2CA37F80617A63
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mail0.198.dinogretchimv.store
Sending IP: 159.89.160.185
From: sales@neileshcorp.solutoins
Subject: ADNOC RFQ 97571784 - Products Supplies Needed
Attachment: SMT20200616.img (contains "SMT20200616.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10941/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.16372.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 11:23:49 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqrlvu5g5nai5qpu23xvbmcoekkko6lzvpcbd6o3w5jofnevgrnq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
0a06767c6ec2249902ef118e04b2044b9784b544b81a7f5e253ae373fd706ceb
FormBook
112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818
FormBook
3f86f49f3c2e3583c70385971bdba545c85d8f2d66f8923bf446dde88be3afc0
FormBook
498fbde70a7375ef095b51ad4ad72798d26a2d28dd82e155e9afc31e95773bea
FormBook
50a183b6130552c9a7613ec0f2d81eba5731d4166e92d5249c2ab81e32d4026d
FormBook
6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b
FormBook
846da150185354155686d4f5d45ed5d0791cb8a97769e73e38a33c4d43c75db3
FormBook
9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8
FormBook
a9a10a5cfb720d6df49e94b12a37d5a8c5c463381b319c6f18b94cf282e2021a
FormBook
ca1a1e6067f0780b53d1863908555e55ad98c42d8af34d00be76f656d2d9a2fe
FormBook
+ 4'825 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200624-jt5swzjcqn/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
System policy modification
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Deletes itself
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 6a4480f8b28cc03dd17ca01eb614f6e0979b666bdf232d5f952daebf968d40a4

FormBook

Executable exe 1c22bad3a6eb408ec1f4d6ef50b04e2294a77979abc411f9dbb752e2b495345b

(this sample)

  
Dropped by
MD5 1c71cfeafea353b7129770c0ae8d01e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6a4480f8b28cc03dd17ca01eb614f6e0979b666bdf232d5f952daebf968d40a4
Cape
Cape
https://www.capesandbox.com/analysis/10941/

Comments