MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


FormBook


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662
SHA3-384 hash: 3b5b9f44621216355d0da6a22fbcd17b06d282f4cb05c4d1d3651f76796c89a60d979bbdd1330c23b807e130da77e64f
SHA1 hash: 5fb95f1577c4d4c810a2a663db4a87704031126e
MD5 hash: 6bd95e18dbd55ab2bb32d2bdef0c88e6
humanhash: undress-king-maryland-echo
File name:ORDER INQUIRY.exe
Download: download sample
Signature FormBook
Create hunting rule
File size:286'208 bytes
First seen:2020-05-25 08:35:49 UTC
Last seen:2020-05-25 10:17:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:6xN4XM9814auafnQoZiB4XnMKHOA5B4pWblfU+pzViDOKeU:6xl9e4i/Qoiyo4NzViyKeU
Threatray 5'183 similar samples on MalwareBazaar
TLSH F754014033F497AED1BEABF5485224012BF3B29B3619C30EDDC624EA1567F844994F97
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing FormBook:

HELO: qualitech-solutions.cam
Sending IP: 111.90.140.145
From: SAMIULLA NAKWA <s.nakwa@qualitech-solutions.cam>
Subject: URGENT ORDER INQUIRY
Attachment: ORDER INQUIRY.rar (contains "ORDER INQUIRY.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.49554.16116.1581.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 09:52:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
1feab92e184b7440b336c41a703beb4fa4be5cdca014c8b7ac5cfa6b408eb2a7
FormBook
31d1428b910df6a6b0bc62b597f5c4c88514cba2ecd8c8fd28410ab97952b7cc
FormBook
6012fb54cc0a67842710e7189ebfa42c27d30f18a604fbb4122734fb23b7accd
FormBook
7f30518d5d377a5daabfdf24a509e35c46b04f951500fec7a78e84724c4cdbc4
FormBook
accddeb954844341b87c006344f21c50757cd228d2f071d39e8707209b1a49f9
FormBook
ba9fbfd1eecd1879588201af8b4498bcef57e8950286170dbb0c7c5b7ded6a17
FormBook
ca6c6262134182f4bc6367855eaf6a390bf9f3a1b95e7238f3480dfe8baf50db
FormBook
e3f68e3679fc2ab587e712ce137e107318ebaa6bd5e724a76200bb10c945312b
FormBook
e75e9eb97fb635737341ed9fcfd25471fdd9889e75305bbb6b32bbee19b32d52
FormBook
f34f4e3d8e9c1ec1d066d75d07f3d93c70931d6a54d736dc12f83b8277db2557
FormBook
+ 5'173 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook coreentity rat rezer0 spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-9kpvg68k6x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Adds policy Run key to start application
Formbook Payload
rezer0
CoreEntity .NET Packer
Formbook
Malware Config
C2 Extraction:
http://www.nyoxibwer.com/20w/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

FormBook

rar 29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708

FormBook

Executable exe 27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662

(this sample)

  
Dropped by
MD5 753f76dc719b6be39f1cf6ff22dd210f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708

Comments