MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785
SHA3-384 hash: b157a9b460317f778cc1354f4455a9f44afd5bc87d7854fe1abeb79b643570b265c2f9cd048610ec874c55780424e398
SHA1 hash: 30afc80c7a9d14fb54cd799b2b2d552c9f2e138d
MD5 hash: 86bb43248e3ad56e9a839cc6c7b03282
humanhash: ohio-indigo-hamper-island
File name:Bank letter pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:347'136 bytes
First seen:2020-05-04 17:16:08 UTC
Last seen:2020-05-04 17:57:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:FqgeSLaMNtxmmOE0shTPuFFwjSBafCGEK+YfXYKpmJDGUYHtBeXqkGW:F93OElu3wuB83N8buBE
Threatray 5'102 similar samples on MalwareBazaar
TLSH 4374BFE429EA521DE27F9EF4BAE07091E76AE3737207E70A8D9102574E13B51CF4112B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: my.gt.com
Sending IP: 23.146.240.200
From: Charmane Koh <charmane.koh@my.gt.com>
Subject: REMITTANCE BANK LETTER
Attachment: Bank letter.img (contains "Bank letter pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.291.2545.12046.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 23:25:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbvn2kfhsragnadxu7lwf3ub5ylj6hai3krhxrua3p4mrazne6cq._file
Verdict:
malicious
Similar samples:
5dd8b3d4a4968fecce4bdee9ef9a29df44fa7ce4ad73002ba4dfc5ac14fa9c41
Formbook
a6009a6b0724811f3bb71fc6f0c6b3b1aad71448948175949c7eb8af82034e91
Formbook
b20e67792a0edf233f319f7af96f189451bb8cd4df24c93fcf0e586a473f552d
Formbook
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
Formbook
b3b093d992d26b0d21a61a778598abd5dd87649a89f724c2798f60f9dc19de1a
Formbook
c7949573443efdf9faf7bdd96422dd515bc3576d8fce3091776333047524d1a2
Formbook
ceee0c8772c6b5a2cff7d9f3bc824c088f3c7d034b9898c74f79e11b59210257
Formbook
e8edf009c1c82f348ad925f7f9a34b4f241d52240c6cb43ab4536c4b363d5322
Formbook
eca4673c4308cb6dfd3757fcda824d93b7076fa2b2e7b2912863cdc4cb3f422e
Formbook
f7111becb8c59613ae4843dd30281edfa7684a931100f18fe64f75364ed85bf3
Formbook
+ 5'092 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook evasion rat spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-5jjnscgwmx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Windows security modification
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Adds policy Run key to start application
Formbook Payload
Looks for VirtualBox Guest Additions in registry
Formbook
Modifies Windows Defender Real-time Protection settings
Malware Config
C2 Extraction:
http://www.godhep.com/23v/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img a703fd2372483e4bbb75bc96dd4f0f95c489eede136451016106eb6c62636658

Formbook

Executable exe 286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785

(this sample)

  
Dropped by
MD5 a1244ca67b926fae807a19950991128f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a703fd2372483e4bbb75bc96dd4f0f95c489eede136451016106eb6c62636658

Comments