MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9
SHA3-384 hash: 5900d8a26a00e4b837c2459fc5fcdbd29a61ca5592206fee77195e2d54f974cad77a962b78179f91cc3619bf52a50685
SHA1 hash: e677d909385382b9052fc3d7c7bc8b892d3966e2
MD5 hash: 6df8d60dd8a8848681698ca450ab8481
humanhash: uniform-bluebird-missouri-friend
File name:MV TBN SPEC-VSL PARTICULAR -DOCX.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:632'832 bytes
First seen:2020-05-08 05:20:47 UTC
Last seen:2020-05-08 13:03:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b7e3cbe91e6d6f699432fd076c24f47 (9 x AgentTesla, 1 x FormBook)
ssdeep 12288:rxUyU/d2RnM6P869R128uba6iqjat//ceMly7OgOtMfH6c4UbZMM:rx362S6P8623sDt/hXitMP4UbZMM
Threatray 4'548 similar samples on MalwareBazaar
TLSH FCD4AE22F3B18837C2631638DC4B56659F3BBD512E3868863BE81D4C5F397823969397
Reporter jarumlus
Tags:FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Adware.Generic4.AANW.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Hploki
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 01:02:00 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
20 of 30 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dusbrh772c64wa4vuntqoipst435bc6yavsuohnsrvc2ynvszpeq._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
040e2a7b73768aea00579bd04fa834afa4b33966459c4c9d4c4cddfb7cffe8c0
FormBook
1c7388bfdfb41e34dc95423b351d3b18d737889d9f8648da0ce24048d6e2f495
FormBook
1d26a5cf8e279ddaa3ad924224219b550f7d431e8d6adbcb7bd36c01d4eae2d9
FormBook
2fdb0d7b083751a10db872738e974f869b99f2ca21891a5fb96bc9440f827ffb
FormBook
3f256c15a96f8f556978318a55308e3ef709f29d93a18d0c2d262f305477cfb2
FormBook
490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
FormBook
5ef5d6bc0c7af14274c71cdc4377785a79143786556262137f496a94170ac56b
FormBook
811b6950ba9561169b22ccfc12daf0fc57f26a910272f56288bd0d7c10da5c15
FormBook
bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a
FormBook
c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
FormBook
+ 4'538 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-r1ne1gxnsx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/hm2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

zip c292ebf9b397158c6d5c4cd26157cf0dbf80dc8951919804fcb5e32e3ec95a79

FormBook

Executable exe 1d24189fffd0bdcb0395a3670721f29f37d08bd80565471db28d45ac36b2cbc9

(this sample)

  
Dropped by
MD5 a936fdb779ff6eb8694d7872de53a354
  
Dropped by
SHA256 c292ebf9b397158c6d5c4cd26157cf0dbf80dc8951919804fcb5e32e3ec95a79
  
Dropped by
FormBook
  
Delivery method
Distributed via e-mail attachment

Comments