MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234feef75ecf92d540072179eb153e188eb548237ca875ca54c9654c0dbb38fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 234feef75ecf92d540072179eb153e188eb548237ca875ca54c9654c0dbb38fa
SHA3-384 hash: 55a6b90af09d64108cb799d76c340d0d1a559b63b76cc4e46717901486771afec97f54b42859dfab273a9787b7958634
SHA1 hash: 8ce3ab4a5b0612092fdd4ff939c0a918795c0afc
MD5 hash: 67e248ab0ad66f52b97b3d65ae169a7b
humanhash: oklahoma-sink-eight-saturn
File name:order.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:310'272 bytes
First seen:2020-05-22 07:15:42 UTC
Last seen:2020-05-22 08:02:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bdd6da0cfc85ae3bc242c14502b5244a (2 x FormBook)
ssdeep 6144:h8Meu/5jhmOsY7me9qG269Nx81TXDzdke:v7gY7DFxMTzzdk
Threatray 5'114 similar samples on MalwareBazaar
TLSH 2264BD31E4682A6DC17FA1B57EC7CDFA8ECA40E3A06F4C19C15CC5A5C52C6C2C99B276
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: regular1.263xmail.com
Sending IP: 211.150.70.204
From: Munish Aggarwal <admin@yingshitech.com>
Subject: Purchase Order NORM-761-0
Attachment: order.rar (contains "order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 07:33:24 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
29b04cd4f25b88b9f35f2e7a34569415b985677834d699255e417a0ed62d68a8
FormBook
436ee1bd9706512d8884d07a51f806155ca2d95b3a584ceb57a87260cf19690d
FormBook
440210947a4e6ccdc60e1447ee39bac99cb2e3806b3d5db06d5758cc4ac6cc50
FormBook
590fde182a154cd89b15d88546d60351b9fecb51e04fbbf4affd8d49a618bd23
FormBook
953a210d8cf8b14a042c8e655b497fa5623cc5e557cddc7c79a418fe826c5e2d
FormBook
9b2c6f08cd9a4e3b144422de4d540290542ce50239f2c85697a036a461b25264
FormBook
b042e4bdfe19df2aa474fd5e2294aecc9a07d447c96466db7a7e20316d885634
FormBook
c6bed06259f7c50c2b15e8161d5b1fa11690e69a7e5bb3261202debfb7d96708
FormBook
c7544c2d4180660fc3a96f3b66b5caa0e168dcfbb35a870f1c576a152ed62348
FormBook
d2a6e56b5ef7724907cceaf6ceb9da2a31012988169b8612248fd3b299e3d821
FormBook
+ 5'104 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/201109-2fymxv68xs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.chilogae.com/mw9/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 983e38f5438bb93ad4fcbc1bcc307d45df21be7455d9de041f9ec60edde169e6

FormBook

Executable exe 234feef75ecf92d540072179eb153e188eb548237ca875ca54c9654c0dbb38fa

(this sample)

  
Dropped by
MD5 474807f0d52565d59a61fe7ec2b167c5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 983e38f5438bb93ad4fcbc1bcc307d45df21be7455d9de041f9ec60edde169e6

Comments