MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26ab418898511e23428738e2ffec693856268e683f2db04b9f243420cb40d889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26ab418898511e23428738e2ffec693856268e683f2db04b9f243420cb40d889
SHA3-384 hash: c96cf133894dd64f3baa006ba167697c5b5d4765054e250675654be9ed3a8b53bb84a65f48174fbd6373b6ec78d1462f
SHA1 hash: d03dc1ea86cabb94d8d83e73ecf4c21298d1ca79
MD5 hash: e15681221e5dc6544983feda0419086a
humanhash: pizza-high-magazine-lake
File name:P.ORDER.210520.doc
Download: download sample
Signature FormBook
Create hunting rule
File size:18'606 bytes
First seen:2020-05-21 07:35:53 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 384:/imtnLzcjSKqLlC78OVrbXvfQ1pLb1zAHf8:/L3c9q68kLY1FpA/8
TLSH 0A82BF71D844B525EBA3C23864BC46E2F5C80195FB83A6EB685877DC4780AD70B52B4B
Reporter abuse_ch
Tags:doc FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: vps.brightway919.com
Sending IP: 103.233.0.2
From: Brightway Trading Services <inquiry@bujan.com.ar>
Reply-To: sales@brightway919.com
Subject: REMITTANCE REVIEW FOR redacted@threatwave.com
Attachment: P.ORDER.210520.Z (contains "P.ORDER.210520.doc")

FormBook payload URL:
https://brightway919.com/order/21.05.20.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBA.BladabindiDldr.1.Gen.28461.5895.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Document-Word.Downloader.Obfuse
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 21:05:23 UTC
AV detection:
15 of 30 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2vudceykepcgquhhdrp73djhblcndtih4w3as47eq2cbs2a3ceq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-lgj4zcqf4n/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blacklisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

z 8f8690d427a33b78ff4f6b894ec82a2eae8ab92f6af1d7af9998b635d7fc2e15

FormBook

Word file doc 26ab418898511e23428738e2ffec693856268e683f2db04b9f243420cb40d889

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/365979/
  
Dropped by
MD5 037430e1c587651fd2b58e81afb10351
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8f8690d427a33b78ff4f6b894ec82a2eae8ab92f6af1d7af9998b635d7fc2e15

Comments