MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fa61bb029466f4fe3ed9385994dcaed8b25715931e460f9b4db88ec155ec6a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fa61bb029466f4fe3ed9385994dcaed8b25715931e460f9b4db88ec155ec6a3
SHA3-384 hash: 01f892c97646b838b5000f9085c341238ddec3a7b9259504aa8266a63db72eb06c69ceaa15f34edb9ab5c274ef54452a
SHA1 hash: 68d4ae01ba1fe5af81b634cb569e2062a11b305e
MD5 hash: 0efca6807eac19cadeb17ec53e9c7cd8
humanhash: high-venus-skylark-charlie
File name:Scan_07062020.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:343'552 bytes
First seen:2020-06-08 05:53:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:FDFIP2Drcc37/teKsq4VH7NREnP/WS7dfqFFC2WNYEZ:FDH/ELqs/EvqFFbjEZ
Threatray 5'309 similar samples on MalwareBazaar
TLSH 6D74025627AD4723E93D4BF590BA540113B22E17767AF71F4DC2B0CA1AF7B008A61B27
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: mout.perfora.net
Sending IP: 74.208.4.194
From: Darin Wang <darin@interstatebatteriestampa.com>
Reply-To: Darin Wang <darin@interstatebatteriestampa.com>
Subject: 回覆: Order 05062020
Attachment: Scan_07062020.img (contains "Scan_07062020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.67676.5636.8613.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 01:54:31 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6tbxmbjizxu7y7nsoczstok5wfsk4kzghsgb6nu3oeoyfk6y2rq._file
Verdict:
malicious
Similar samples:
474cad642b1cf88f8d7f922cbfd9b8a00d7fc0eb40cafc0877007ee2884f105f
FormBook
55b3e07647dc14ce27a256bce50140daccd1dcbd05e7d26b516a2a31abd5d9f7
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
6b307cbe4f1e8d769af95142d574e77a50654e25cce234f48da6c5e7a7aa4b99
FormBook
7c479cfb9c3df15b565e16fc62709d8af849773c5112b53bf4d41f939219d6d8
FormBook
7d667845924245b2c6acee25a643afab5ad0a822614574c93cbf19ff0bb4f8c4
FormBook
80d185a291cf5c72cf84c63a49ade7e9d7363a3721aa2967c9d143c7d29fa03d
FormBook
972dbabdb87df7e564d3b5162d94d22ccb326a6f6d2150f3a9b29bc32e8feb32
FormBook
c8106842608e4f4300a6fe2f369914e6ff67013c4c66edf42a0b54bdd55f5c91
FormBook
e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
FormBook
+ 5'299 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-k4ryemskte/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
System policy modification
Drops file in Program Files directory
Suspicious use of SetThreadContext
Deletes itself
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
ServiceHost packer
Formbook
Malware Config
C2 Extraction:
http://www.norjax.com/hxb/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

img 9fc20db3883397078550fb9fffa6eb350e31cc95cb1916bf69290fc63bc0a629

FormBook

Executable exe 1fa61bb029466f4fe3ed9385994dcaed8b25715931e460f9b4db88ec155ec6a3

(this sample)

  
Dropped by
MD5 ca3310dd9ee719ba1ff2eb5f9f49cb53
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9fc20db3883397078550fb9fffa6eb350e31cc95cb1916bf69290fc63bc0a629

Comments