MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35b0f0ea8e64564dacb06fb7c9c4816cbe2962e27c72e83b6cca54c92582a620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 3 Comments

SHA256 hash: 35b0f0ea8e64564dacb06fb7c9c4816cbe2962e27c72e83b6cca54c92582a620
SHA3-384 hash: 66fd046c15d1216e8d79387ca695ecfd98b9526ed41f8f24f8c4fe1889cdf584e7dca90941d12cf314c5915d74f95432
SHA1 hash: dfe0df5a15ca5400f2c63e16ede906621778e968
MD5 hash: 36a98997a49aecb3bdb906085560ad8f
humanhash: jupiter-ceiling-skylark-bravo
File name:X4EbSoE9zyT73W8.exe
Download: download sample
Signature Formbook
File size:310'784 bytes
First seen:2020-06-30 06:04:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:EuiwYkFScSegKdu2tEvnh4iu2fFyonh0HN0sDYchH+ryje:EuiwYkf9ru2Ovh4iu2fFyoEasDYyH+rZ
TLSH 1264017533A90B2ADAFE8BF069B050540FF9B1077621D36CAE8054CE1673B959A32F53
Reporter @abuse_ch
Tags:exe FormBook


Twitter
@abuse_ch
Malspam distributing Formbook:

HELO: minhhavn.com
Sending IP: 162.250.125.120
From: legalteam@teamperuviancargo.com
Subject: Fw:Re:8510369204396A
Attachment: PO8510369204396A.img.iso (contains "X4EbSoE9zyT73W8.exe")

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 38
Origin country FR FR
CAPE Sandbox Detection:Formbook
Link: https://www.capesandbox.com/analysis/16795/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:formbook
Link: https://mwdb.cert.pl/sample/35b0f0ea8e64564dacb06fb7c9c4816cbe2962e27c72e83b6cca54c92582a620/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Androm
First seen:2020-06-30 06:05:12 UTC
AV detection:24 of 31 (77.42%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   7/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-eltcnce94a/
Tags:spyware persistence
VirusTotal:Virustotal results 11.27%

Yara Signatures


Rule name:Formbook
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_formbook_g0
Author:Slavo Greminger, SWITCH-CERT

File information


The table below shows additional information about this malware sample such as delivery method and external references.

aab6d089447ec950a5645c754260bf26

Formbook

Executable exe 35b0f0ea8e64564dacb06fb7c9c4816cbe2962e27c72e83b6cca54c92582a620

(this sample)

  
Dropped by
MD5 aab6d089447ec950a5645c754260bf26
  
Delivery method
Distributed via e-mail attachment

Comments