MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33bba4987ed156603ef0d3d38b149b2f3d0bed4d52adf5615a6d19013cb7a94e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33bba4987ed156603ef0d3d38b149b2f3d0bed4d52adf5615a6d19013cb7a94e
SHA3-384 hash: c64ff12461ca5a8ccc9338e86990e0f28b2d743c267b4559b55e9518af2fdce3b44bb027d8fb22bfb97cf1844891273b
SHA1 hash: e0cf2fb1fe5d122a4068585bbcf19e8f4e15a92d
MD5 hash: 1a27bd69479dc1aae06fbf6b7e4ef314
humanhash: crazy-uncle-yellow-fifteen
File name:Purchase order 104765.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'248'768 bytes
First seen:2020-08-18 06:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:HjiiOckKYf/h1F7O4scGUOXuHT02FlPNXnDjNgwXV:HjixPJ1pjscbMc7jFXDj2
Threatray 2'250 similar samples on MalwareBazaar
TLSH 3245CFC2D34CBDA9D1AE03B7A8758C161772EE59D0B9A35A18CDB0356AF33432C97C19
Reporter abuse_ch
Tags:exe FormBook Hostwinds


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-760083.hostwindsdns.com
Sending IP: 104.168.214.40
From: Purchasing <info@bimo-idea.co>
Subject: Purchase order 104765
Attachment: Purchase order 104765 .... (contains "Purchase order 104765.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47531/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33bba4987ed156603ef0d3d38b149b2f3d0bed4d52adf5615a6d19013cb7a94e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 06:29:10 UTC
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=go52jgd62flgapxq2pjywfe3f46qx3knkkw7kyk2numqcpfxvfha._file
Verdict:
malicious
Similar samples:
1ac4a08fcc4a51a5146f78e1b97269096b1149aa099d2ba72bf6d95144d67bdd
Formbook
1e3003997089d725802aea73f61a35f7a568c05b16251e2d93ea8a3f8973b1d3
Formbook
3640e0bfb26ad5e7cf64e2b1b927031f49b84c1dab0e4460b18de6e57904ff7e
Formbook
a05343f785c283336d5b9eea06c3827209ecd87b6f6bdc9f32f9675a2b4c3e8b
Formbook
a7ef4ee04196bec21da515066ffd2c59a040e0004f0c69fb046347f574998db4
Formbook
b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93
Formbook
b860c68b8a4ca548c005de132b6b2870a43baab32df04c32588d70da1ae47b6e
Formbook
b8d1d962744d0c6ab3abe293c4671b3ba6524f623f9d6f02361bc60eec7b4cb4
Formbook
e2d8bfec4161287caf4f118ec66daaceb71c6fdda1b4aa16f8810f8a66f59013
Formbook
e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34
Formbook
+ 2'240 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
rat trojan spyware stealer family:formbook persistence
Link:
https://tria.ge/reports/200818-wlh9l6b2aj/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.chemoly.com/by7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar de9d2d9412783fcc8a3b6f99e4de5e03571dd2d8daaf41a8bcf380369ca7784b

Formbook

Executable exe 33bba4987ed156603ef0d3d38b149b2f3d0bed4d52adf5615a6d19013cb7a94e

(this sample)

  
Dropped by
MD5 058a2e17928c4143c721d0e0babc8e56
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47531/
  
Dropped by
SHA256 de9d2d9412783fcc8a3b6f99e4de5e03571dd2d8daaf41a8bcf380369ca7784b

Comments