MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff5f726080125732c91296d7bce8b496e5d50d2fb8b3d028f0f41990565015e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	2ff5f726080125732c91296d7bce8b496e5d50d2fb8b3d028f0f41990565015e
SHA3-384 hash:	06ea0a42e9ba6884c52069dacd81dd488a1076db49a7ac4681b177a414518d9fda7180ba33f9f772d4cdd17c9e59d7af
SHA1 hash:	eed7b67d76a6083ef7e22779ebc6ba221c187e40
MD5 hash:	0b746a562bc4038bd7704abe73b27e02
humanhash:	glucose-missouri-zebra-island
File name:	Your orders.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	351'744 bytes
First seen:	2020-06-16 11:26:20 UTC
Last seen:	2020-06-16 12:14:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	6144:3XbfsP81iq9GMDP03j5OUqTf6/gwUPJRCzZ1rdFhZGmdLBLK4fChYumjVgeiQV0m:3XbfsE1iqdDP85OU+ySPJozZ1dFhAmdF
Threatray	5'186 similar samples on MalwareBazaar
TLSH	BB74BF2C06E87A1BC67E837FD2A5010C52D7D1761B87E78D890A60FA1E1F35BF56224B
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: qproxy6-pub.mail.unifiedlayer.com
Sending IP: 69.89.23.12
From: vnexp.query@dhl.com
Subject: Your order has been received
Attachment: Respirator mask.img (contains "Your orders.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/10933/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.UTO.11488.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-16 11:28:06 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=f727ojqiaesxglerffwxxtuljfxf2ugs7oft2aupb5azsblfafpa._file

Verdict:

malicious

Similar samples:

58f28dd7cc2c257f5ac8dec9111d8cf8942e1cf62bb8334f4922e4b124d4eab9

67c174f4fdeb4a63472a22bb21de9d1b472da3521dcfa4ba8b285e25e1f1fa26

6f827b68129d30609057c2e6b36be05649fce91d6bc8ee3d3566ca5c6aba562b

7d667845924245b2c6acee25a643afab5ad0a822614574c93cbf19ff0bb4f8c4

a601e4a16b16f0eacedc679e3f367d990c0cc913470d138b4d3e6d3ba156f7b7

a8fb290af4d6f3cb59e034cfb61e7c6981f246c98c1929b35302bca73a05a472

bb87a6186306d0417e723b3ae04b70193f32d8b5fe479de840ed10f243234c4d

c8106842608e4f4300a6fe2f369914e6ff67013c4c66edf42a0b54bdd55f5c91

cbbc3af13a3cc33ff5dffb137c7276dd246f9b9a696de51d6858461e986d4ebd

ec3275973764fa95e7fd95628318c58c9731eeaf4a530f80e954330e8de52e6f

+ 5'176 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

evasion trojan persistence spyware

Link:

https://tria.ge/reports/200624-53x15m14yj/

Behaviour

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Maps connected drives based on registry

Reads user/profile data of web browsers

Deletes itself

Adds Run entry to policy start application

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img cacc35f1f1ca0a9550e64115210b1d97eb97884fbeb2fcecaa719ce22fb26f4c

exe 2ff5f726080125732c91296d7bce8b496e5d50d2fb8b3d028f0f41990565015e

(this sample)

Dropped by

MD5 6bd42748f1e41b46857d744b2a2d8a35

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 cacc35f1f1ca0a9550e64115210b1d97eb97884fbeb2fcecaa719ce22fb26f4c

Cape

Cape

https://www.capesandbox.com/analysis/10933/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample